Kubernetes-授予RBAC访问kube dns中的匿名用户的权限 [英] Kubernetes - Granting RBAC access to anonymous users in kube dns
问题描述
我有一个带有主节点和工作节点的Kubernetes Cluster设置. Kubectl cluster-info显示kubernetes-master和kube-dns成功运行.
I have Kubernetes Cluster setup with a master and worker node. Kubectl cluster-info shows kubernetes-master as well as kube-dns running successfully.
我正在尝试访问下面的URL,由于它是我组织的内部内容,因此下面的URL对外部世界不可见.
I am trying to access below URL and since it is internal to my organization, below URL is not visible to external world.
https://10.118 .3.22:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
但是访问它时却出现错误-
But I am getting below error when I access it -
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"kube-dns:dns\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "kube-dns:dns",
"kind": "services"
},
"code": 403
}
请让我知道如何向匿名用户授予完全访问权限.我阅读了 https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 但是无法弄清楚我到底需要做什么.谢谢
Please let me know how to grant full access to anonymous user. I read RBAC mentioned in https://kubernetes.io/docs/reference/access-authn-authz/rbac/ But unable to figure out what exactly I need to do. Thanks
推荐答案
您可以向匿名用户授予admin特权,但我强烈建议不要这样做.这样,群集外的任何人都可以使用url访问服务.
You can grant the admin privileges to the anonymous user, but I strongly strongly discourage it. This will give anyone outside the cluster access to the services using the url.
即使在您决定将所有访问权限授予匿名用户之后,您也可以按照以下方式进行操作:
Even after that you decided to grant all the access to the anonymous user you can do it following way:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: anonymous-role
rules:
- apiGroups: [""]
resources: ["services/proxy"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: anonymous-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: anonymous-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:anonymous
这将使anonymous:user代理您的服务,而不是所有资源.如果需要所有资源,则需要在匿名角色中提供resources: ["*"]
.
This will give anonymous:user to proxy your services, not all resources. If you want that for all resources you need to provide resources: ["*"]
in anonymous-role.
希望这会有所帮助
这篇关于Kubernetes-授予RBAC访问kube dns中的匿名用户的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!