未知用户“客户端"是什么?意思是? [英] what does Unknown user "client" mean?

问题描述

当我使用 gcloud sdk 在本地 shell 上运行一个简单的命令时.

When I run a simple command on my local shell with gcloud sdk.

$ kubectl get pod

我收到这样的错误:

来自服务器的错误(禁止):pods 被禁止:用户client"无法在集群范围内列出 pods:未知用户client"

Error from server (Forbidden): pods is forbidden: User "client" cannot list pods at the cluster scope: Unknown user "client"

同样的命令在 GCP cloud shell 上运行良好，输出

The same command runs fine on GCP cloud shell, and the output of

$ gcloud auth list

符合预期:

凭据帐户
活跃账户
* foo@bar.com

我也尝试创建集群角色绑定，但得到类似的错误.

I also tried to create clusterrolebinding, but get similar error.

推荐答案

当您在集群设置中禁用 Legacy Authorization 时会发生这种情况，因为您使用的客户端证书是旧式身份验证方法.所以看起来正在发生的事情是客户端身份验证成功但授权失败，正如预期的那样.(错误消息中的未知用户"令人困惑，似乎是授权系统不知道该用户，而不是身份验证系统.)

This happens when you disable Legacy Authorisation in the cluster settings, because the client certificate that you are using is a legacy authentication method. So it looks like what is happening is the client authentication succeeds but the authorisation fails, as expected. ("Unknown user" in the error message, confusingly, seems to mean the user is unknown to the authorisation system, not to the authentication system.)

您可以通过

gcloud config unset container/use_client_certificate

然后使用

gcloud container clusters get-credentials my-cluster

或者您可以简单地在 Google Cloud Console 的集群设置中重新启用 Legacy Authorization，或使用以下命令:

Or you can simply re-enable Legacy Authorisation in the cluster settings in the Google Cloud Console, or using the command:

gcloud container clusters update [CLUSTER_NAME] --enable-legacy-authorization

这篇关于未知用户“客户端"是什么?意思是?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！