如何使用curl从一个窗格中访问Kubernetes API? [英] How can I use curl to access the Kubernetes API from within a pod?
问题描述
我在Google Kubernetes Engine上使用Kubernetes 1.8.6,并将一个运行Alpine的pod作为 StatefulSet
的一部分。
我使用 kubectl exec -it my-pod-0 - / bin / sh
登录到了我的窗格,然后在提示符下运行以下命令:
$ CA_CERT = / var / run / secrets / kubernetes.io / serviceaccount / ca.crt
$ TOKEN = $ (cat /var/run/secrets/kubernetes.io/serviceaccount/token)
$ NAMESPACE = $(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
$ curl - cacert $ CA_CERT -HAuthorization:Bearer $ TOKENhttps:// kubernetes
/ api / v1 / namespaces / $ NAMESPACE / services /
不幸的是,403 Forbidden错误被返回:
{
kind:状态,
apiVersion:v1,
元数据:{
},
状态:失败,
message:服务被禁止:User \system:serviceaccount:default:default \无法列出服务在命名空间\default \中:未知用户\system:serviceaccount:default:default \,
reason:Forbidden,
details:{
kind:services
},
code:403
我做错了什么? 你没有做错任何事情。该吊舱的服务帐户(在吊舱的serviceAccountName中指定)根本没有任何API权限。
您可以授予该服务帐户的视图角色,如下所示:
kubectl create rolebinding default-viewer \
--clusterrole = view \
--serviceaccount = default:default \
--namespace = default
请参阅 https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions 了解有关授予服务帐户权限的更多详细信息。
I am using Kubernetes 1.8.6 on Google Kubernetes Engine and have a pod running Alpine as part of a StatefulSet
.
I have logged into my pod using kubectl exec -it my-pod-0 -- /bin/sh
and then run the following commands at the prompt:
$ CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
$ TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
$ NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
$ curl --cacert $CA_CERT -H "Authorization: Bearer $TOKEN" "https://kubernetes
/api/v1/namespaces/$NAMESPACE/services/"
Unfortunately a 403 Forbidden error is returned:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services is forbidden: User \"system:serviceaccount:default:default\" cannot list services in the namespace \"default\": Unknown user \"system:serviceaccount:default:default\"",
"reason": "Forbidden",
"details": {
"kind": "services"
},
"code": 403
What am I doing wrong?
You're not doing anything wrong. That pod's service account (specified in the pod's serviceAccountName) simply doesn't have any API permissions.
You can grant a view role to that service account like this:
kubectl create rolebinding default-viewer \
--clusterrole=view \
--serviceaccount=default:default \
--namespace=default
See https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions for more details about granting permissions to service accounts.
这篇关于如何使用curl从一个窗格中访问Kubernetes API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!