Kubernetes RBAC无法升级连接:禁止(用户=系统:匿名,动词=创建,资源=节点,子资源=代理) [英] Kubernetes RBAC unable to upgrade connection: Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)
问题描述
我正在启用RBAC的情况下运行Kubernetes 1.6.2.我创建了一个具有以下群集角色绑定的用户kube-admin
I'm running Kubernetes 1.6.2 with RBAC enabled. I've created a user kube-admin that has the following Cluster Role binding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: k8s-admin
subjects:
- kind: User
name: kube-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: k8s-admin
subjects:
- kind: User
name: kube-admin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
当我尝试kubectl exec进入正在运行的Pod时,出现以下错误.
When I attempt to kubectl exec into a running pod I get the following error.
kubectl -n kube-system exec -it kubernetes-dashboard-2396447444-1t9jk -- /bin/bash
error: unable to upgrade connection: Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)
kubectl -n kube-system exec -it kubernetes-dashboard-2396447444-1t9jk -- /bin/bash
error: unable to upgrade connection: Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)
我的猜测是我想念一个ClusterRoleBinding裁判,我想念哪个角色?
My guess is I'm missing a ClusterRoleBinding ref, which role am I missing?
推荐答案
kubectl和api之间的连接很好,并且已被正确授权.
The connection between kubectl and the api is fine, and is being authorized correctly.
为满足exec请求,apiserver与运行pod的kubelet联系,并且该连接已被禁止.
To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.
您的kubelet已配置为对请求进行身份验证/授权,并且apiserver未提供该kubelet可以识别的身份验证信息.
Your kubelet is configured to authenticate/authorize requests, and the apiserver is not providing authentication information recognized by the kubelet.
apiserver对kubelet进行身份验证的方式是使用客户端证书和密钥,并通过提供给API服务器的--kubelet-client-certificate=... --kubelet-client-key=...标志进行配置.
The way the apiserver authenticates to the kubelet is with a client certificate and key, configured with the --kubelet-client-certificate=... --kubelet-client-key=... flags provided to the API server.
请参见 https://kubernetes.io/docs/admin/kubelet-身份验证授权/#overview 以获得更多信息.
See https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#overview for more information.
这篇关于Kubernetes RBAC无法升级连接:禁止(用户=系统:匿名,动词=创建,资源=节点,子资源=代理)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
