未知用户的“客户端"有什么作用?意思是? [英] what does Unknown user "client" mean?

问题描述

当我使用gcloud sdk在本地shell上运行一个简单命令时.

When I run a simple command on my local shell with gcloud sdk.

$ kubectl get pod

我得到这样的错误:

来自服务器的错误(禁止):禁止使用pods:用户"client"无法在集群范围内列出pods:未知用户"client"

Error from server (Forbidden): pods is forbidden: User "client" cannot list pods at the cluster scope: Unknown user "client"

同一命令在GCP云外壳上运行正常，并且输出

The same command runs fine on GCP cloud shell, and the output of

$ gcloud auth list

符合预期:

凭证帐户
ACTIVE ACCOUNT
* foo@bar.com

Credentialed Accounts
ACTIVE ACCOUNT
* foo@bar.com

我也尝试创建clusterrolebinding，但出现类似错误.

I also tried to create clusterrolebinding, but get similar error.

推荐答案

在群集设置中禁用旧版授权"时会发生这种情况，因为您使用的客户端证书是旧式身份验证方法.因此，看起来正在发生的事情是客户端身份验证成功，但是授权失败，正如预期的那样. (错误消息中的未知用户"令人困惑，这似乎意味着授权系统(而不是身份验证系统)不知道该用户.)

This happens when you disable Legacy Authorisation in the cluster settings, because the client certificate that you are using is a legacy authentication method. So it looks like what is happening is the client authentication succeeds but the authorisation fails, as expected. ("Unknown user" in the error message, confusingly, seems to mean the user is unknown to the authorisation system, not to the authentication system.)

您可以通过以下方式禁用对客户端证书的使用:

You can either disable the use of the client certificate with

gcloud config unset container/use_client_certificate

，然后使用

gcloud container clusters get-credentials my-cluster

或者您可以直接在Google Cloud Console的群集设置中重新启用旧版授权，或使用以下命令:

Or you can simply re-enable Legacy Authorisation in the cluster settings in the Google Cloud Console, or using the command:

gcloud container clusters update [CLUSTER_NAME] --enable-legacy-authorization

这篇关于未知用户的“客户端"有什么作用?意思是?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！