在没有kubectl的情况下访问Kubernetes API [英] Access Kubernetes API without kubectl

问题描述

我正在尝试不运行kubectl -proxy而直接访问Kubernetes API. 但是，当我使用默认的serviceaccount令牌时，得到了403. 即使在为此服务帐户创建ClusterRole和ClusterRoleBinding之后，该请求也会被403拒绝.

I am trying to access the Kubernetes API directly without running kubectl -proxy. But when I use the token of the serviceaccount default, I get a 403. Even after creating a ClusterRole and ClusterRoleBinding for this serviceaccount, the request is rejected with 403.

我应用的配置如下:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-reader
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

(这几乎来自kubernetes io上的文档，只是使用ServiceAccount作为Subject并将资源更改为pods)

(It is nearly the one from the docs on kubernetes io, just used the ServiceAccount as Subject and changed the resource to pods)

然后我应用了配置并尝试通过curl访问pod:

Then I applied the config and tried to access the pods via curl:

$ kubectl apply -f secrets.yaml 
clusterrole "pod-reader" created
clusterrolebinding "pod-reader" created
$ curl https://192.168.1.31:6443/v1/api/namespaces/default/pods --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:serviceaccount:default:default\" cannot get path \"/v1/api/namespaces/default/pods\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
}

我猜错误消息表明身份验证部分是正确的，因为看起来请求已被正确标识为来自serviceaccount default:default. 但是，我应该怎么做才能赋予该(或另一个服务帐户)访问有关Pod或节点的信息的权限?

I guess the error message shows that the authentication part is ok, because it looks like the request was correctly identified as coming from the serviceaccount default:default. But what do I have to do to entitle this (or another service account) to access information about the pods or nodes?

从Pod外部调用curl时，我也看到此错误，但如果我(例如)使用kubernetes Java客户端通过在/var/run/secrets下安装的密钥从Pod内部访问API，也会看到此错误.

I see this error when calling curl from outside a Pod, but also if I - for example - use the kubernetes java client to access the API from within a Pod using the secret mounted under /var/run/secrets.

我是K8s的新手，所以如果这是一个愚蠢的问题，请原谅我.

I am a K8s newbie, so please forgive me if this is a stupid question.

关于配置: 我在带有一个主节点和两个工作节点的Raspberry Pi群集上运行K8s 1.8. 我对kubeadm init的传递不多，所以我猜它应该具有默认配置. FWIW kubectl describe显示了用于apiserver的以下命令:

Regarding the configuration: I have K8s 1.8 running on a cluster of Raspberry Pis with one Master and two Worker Nodes. I didn't pass much to kubeadm init, so I guess it should have the default configuration. FWIW kubectl describe shows this command for the apiserver:

  kube-apiserver
  --requestheader-group-headers=X-Remote-Group
  --service-account-key-file=/etc/kubernetes/pki/sa.pub
  --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota
  --secure-port=6443
  --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
  --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
  --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
  --advertise-address=192.168.1.31
  --service-cluster-ip-range=10.96.0.0/12
  --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
  --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
  --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
  --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
  --enable-bootstrap-token-auth=true
  --requestheader-username-headers=X-Remote-User
  --allow-privileged=true
  --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
  --requestheader-extra-headers-prefix=X-Remote-Extra-
  --requestheader-allowed-names=front-proxy-client
  --client-ca-file=/etc/kubernetes/pki/ca.crt
  --insecure-port=0
  --authorization-mode=Node,RBAC
  --etcd-servers=http://127.0.0.1:2379

推荐答案

我认为您的卷曲路径中有一个小问题，应该是/api/v1/namespaces/...而不是/v1/api/namespaces/....参见例如 https://kubernetes.io/docs/api-reference/v1 .8/#list-62

I think you have a little issue in your curl path, it should be /api/v1/namespaces/... and not /v1/api/namespaces/.... See e.g. https://kubernetes.io/docs/api-reference/v1.8/#list-62

这篇关于在没有kubectl的情况下访问Kubernetes API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！