用户“系统:匿名"无法获取路径"/" [英] User "system:anonymous" cannot get path "/"
问题描述
我只是基于此链接设置了一个kubenetes集群 https ://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#multi-platform 我检查kubectl get节点,然后主节点为就绪",但是当我访问链接 https://k8s -master-ip:6443/ 它显示错误:用户"system:anonymous"无法获取路径"/". 我想念的诀窍是什么?
I just setup a kubenetes cluster base on this link https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#multi-platform I check with kubectl get nodes, then the master node is Ready, but when I access to the link https://k8s-master-ip:6443/ it show the error: User "system:anonymous" cannot get path "/". What is the trick I am missing ?
推荐答案
最新的kubernetes部署工具可在群集上启用RBAC. Jenkins在访问https://192.168.70.94:6443/api/v1/...
时被降级为所有用户system:anonymous
.该用户在kube-apiserver上几乎没有特权.
The latest kubernetes deployment tools enable RBAC on the cluster. Jenkins is relegated to the catch-all user system:anonymous
when it accesses https://192.168.70.94:6443/api/v1/...
. This user has almost no privileges on kube-apiserver.
最重要的是,Jenkins需要通过kube-apiserver进行身份验证-使用承载令牌或由k8s集群的CA密钥签名的客户端证书.
The bottom-line is, Jenkins needs to authenticate with kube-apiserver - either with a bearer token or a client cert that's signed by the k8s cluster's CA key.
方法1.如果Jenkins托管在k8s集群中,则首选此方法:
Method 1. This is preferred if Jenkins is hosted in the k8s cluster:
- 在k8s中为插件创建一个ServiceAccount
- 创建与ServiceAccount绑定的RBAC配置文件(即Role/RoleBinding或ClusterRole/ClusterRoleBinding)
- 将插件配置为在访问URL
https://192.168.70.94:6443/api/v1/...
时使用ServiceAccount的令牌
- Create a ServiceAccount in k8s for the plugin
- Create an RBAC profile (ie. Role/RoleBinding or ClusterRole/ClusterRoleBinding) that's tied to the ServiceAccount
- Config the plugin to use the ServiceAccount's token when accessing the URL
https://192.168.70.94:6443/api/v1/...
方法2.如果Jenkins托管在k8s集群之外,则仍然可以使用上述步骤.替代方法是:
Method 2. If Jenkins is hosted outside the k8s cluster, the steps above can still be used. The alternative is to:
- 创建与k8s集群的CA绑定的客户端证书.您必须找到CA密钥的保存位置,并使用它来生成客户端证书.
- 创建与客户端证书相关联的RBAC配置文件(即Role/RoleBinding或ClusterRole/ClusterRoleBinding)
- 将插件配置为在访问URL
https://192.168.70.94:6443/api/v1/...
时使用客户端证书
- Create a client cert that's tied to the k8s cluster's CA. You have to find where the CA key is kept and use it to generate a client cert.
- Create an RBAC profile (ie. Role/RoleBinding or ClusterRole/ClusterRoleBinding) that's tied to the client cert
- Config the plugin to use the client cert when accessing the URL
https://192.168.70.94:6443/api/v1/...
这两种方法在任何情况下都有效.我相信方法1对您来说会更简单,因为您不必弄乱CA密钥.
Both methods work in any situation. I believe Method 1 will be simpler for you because you don't have to mess around with the CA key.
这篇关于用户“系统:匿名"无法获取路径"/"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!