这是一个创建于 774 天前的主题,其中的信息可能已经有所发展或是发生改变。
开启了一个api-server,如何具有权限访问这个服务
开启api-server
开启的api-server 脚本如下
/root/k8s/kubernetes/server/bin/kube-apiserver \
--log-dir=/root/k8s/kubernetes/log/kube-apiserver \
--log-file=/root/k8s/kubernetes/log/kube-apiserver/log.log \
--logtostderr=true \
--allow-privileged=true \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--advertise-address=192.168.123.78 \
--service-cluster-ip-range=10.96.0.0/12 \
--service-node-port-range=30000-32767 \
--etcd-servers=https://192.168.123.78:2379,https://192.168.123.79:2379,https://192.168.123.80:2379 \
--etcd-cafile=/root/certs/ca.pem \
--etcd-certfile=/root/certs/etcd.pem \
--etcd-keyfile=/root/certs/etcd-key.pem \
--tls-cert-file=/root/certs/api-server.pem \
--tls-private-key-file=/root/certs/api-server-key.pem \
--client-ca-file=/root/certs/ca.pem \
--kubelet-client-certificate=/root/certs/client.pem \
--kubelet-client-key=/root/certs/client-key.pem \
--service-account-key-file=/root/certs/api-server.pem \
--service-account-signing-key-file=/root/certs/api-server-key.pem \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--kubelet-preferred-address-types=Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--requestheader-client-ca-file=/root/certs/ca.pem \
--proxy-client-cert-file=/root/certs/proxy.pem \
--proxy-client-key-file=/root/certs/proxy-key.pem \
--requestheader-allowed-names="" \
--requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-username-headers=X-Remote-User
尝试访问
利用其中的
--kubelet-client-certificate
和
--kubelet-client-key
生成了一个config
/root/k8s/kubernetes/server/bin/kubectl config set-cluster kubernetes --certificate-authority=/root/certs/ca.pem --embed-certs=true --server=https://192.168.123.78:6443 --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
/root/k8s/kubernetes/server/bin/kubectl config set-credentials kubernetes-admin --client-certificate=/root/certs/client.pem --client-key=/root/certs/client-key.pem --embed-certs=true --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
/root/k8s/kubernetes/server/bin/kubectl config set-context kubernetes-admin@kubernetes --cluster=kubernetes --user=kubernetes-admin --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
/root/k8s/kubernetes/server/bin/kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
然后当我用admin.kubeconfig进行访问的时候,出现了 403 的问题
./kubectl get cs --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig -v=9
<<<<<
Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/api\"","reason":"Forbidden","details":{},"code":403}
I1002 21:44:12.604038 227095 round_trippers.go:466] curl -v -XGET -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.25.2 (linux/amd64) kubernetes/5835544" 'https://192.168.123.78:6443/apis?timeout=32s'
有大佬知道是什么原因吗, 或者说一个新开的 API-SERVER 的所谓的管理员账号密码是在哪里= =,如何访问api-server呢
3 条回复 • 2022-10-08 16:25:23 +08:00
 |
1
aqua02 OP 解决了 如果通过证书访问的话 证书的 CN 一定要携带 system:xxx 之类的 恕我直言。真恶心
|
 |
2
plko345 2022-10-03 21:18:28 +08:00 via Android
文档里 best practice 里写的很清楚了,说恶心不合适吧
|
Select Language