用户“系统:匿名"无法获取路径"/" [英] User "system:anonymous" cannot get path "/"

问题描述

我只是基于此链接设置了一个kubenetes集群 https ://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#multi-platform 我检查kubectl get节点，然后主节点为就绪"，但是当我访问链接 https://k8s -master-ip:6443/ 它显示错误:用户"system:anonymous"无法获取路径"/". 我想念的诀窍是什么?

I just setup a kubenetes cluster base on this link https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#multi-platform I check with kubectl get nodes, then the master node is Ready, but when I access to the link https://k8s-master-ip:6443/ it show the error: User "system:anonymous" cannot get path "/". What is the trick I am missing ?

推荐答案

最新的kubernetes部署工具可在群集上启用RBAC. Jenkins在访问https://192.168.70.94:6443/api/v1/...时被降级为所有用户system:anonymous.该用户在kube-apiserver上几乎没有特权.

The latest kubernetes deployment tools enable RBAC on the cluster. Jenkins is relegated to the catch-all user system:anonymous when it accesses https://192.168.70.94:6443/api/v1/.... This user has almost no privileges on kube-apiserver.

最重要的是，Jenkins需要通过kube-apiserver进行身份验证-使用承载令牌或由k8s集群的CA密钥签名的客户端证书.

The bottom-line is, Jenkins needs to authenticate with kube-apiserver - either with a bearer token or a client cert that's signed by the k8s cluster's CA key.

方法1.如果Jenkins托管在k8s集群中，则首选此方法:

Method 1. This is preferred if Jenkins is hosted in the k8s cluster:

1. 在k8s中为插件创建一个ServiceAccount
2. 创建与ServiceAccount绑定的RBAC配置文件(即Role/RoleBinding或ClusterRole/ClusterRoleBinding)
3. 将插件配置为在访问URL https://192.168.70.94:6443/api/v1/...
时使用ServiceAccount的令牌

1. Create a ServiceAccount in k8s for the plugin
2. Create an RBAC profile (ie. Role/RoleBinding or ClusterRole/ClusterRoleBinding) that's tied to the ServiceAccount
3. Config the plugin to use the ServiceAccount's token when accessing the URL https://192.168.70.94:6443/api/v1/...

方法2.如果Jenkins托管在k8s集群之外，则仍然可以使用上述步骤.替代方法是:

Method 2. If Jenkins is hosted outside the k8s cluster, the steps above can still be used. The alternative is to:

1. 创建与k8s集群的CA绑定的客户端证书.您必须找到CA密钥的保存位置，并使用它来生成客户端证书.
2. 创建与客户端证书相关联的RBAC配置文件(即Role/RoleBinding或ClusterRole/ClusterRoleBinding)
3. 将插件配置为在访问URL https://192.168.70.94:6443/api/v1/...
时使用客户端证书

1. Create a client cert that's tied to the k8s cluster's CA. You have to find where the CA key is kept and use it to generate a client cert.
2. Create an RBAC profile (ie. Role/RoleBinding or ClusterRole/ClusterRoleBinding) that's tied to the client cert
3. Config the plugin to use the client cert when accessing the URL https://192.168.70.94:6443/api/v1/...

这两种方法在任何情况下都有效.我相信方法1对您来说会更简单，因为您不必弄乱CA密钥.

Both methods work in any situation. I believe Method 1 will be simpler for you because you don't have to mess around with the CA key.

这篇关于用户“系统:匿名"无法获取路径"/"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！