除了/ api / v1以外的api请求返回403“禁止”(api request other than /api/v1 return 403 “Forbidden”)

编程入门行业动态更新时间:2024-10-28 15:28:16

嗨，我使用本教程在Ubuntu 16.04上安装了一个新的kubernetes集群： https://blog.alexellis.io/kubernetes-in-10-minutes/

但是，一旦我尝试访问我的api（例如： https：// [server-ip]：6443 / api / v1 / namespaces），我收到以下消息

{ "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "namespaces is forbidden: User \"system:bootstrap:a916af\" cannot list namespaces at the cluster scope", "reason": "Forbidden", "details": { "kind": "namespaces" }, "code": 403 }

有谁知道如何解决这个或我做错了什么？

Hi I installed a fresh kubernetes cluster on Ubuntu 16.04 using this tutorial:https://blog.alexellis.io/kubernetes-in-10-minutes/

However as soon as I try to access my api (for example: https://[server-ip]:6443 /api/v1/namespaces) I get the following message

Does anyone know how to fix this or what I am doing wrong?

最满意答案

虽然我没有完成该教程，但您提出请求的服务帐户无法访问群集级信息，例如列出命名空间。 RBAC（基于角色的访问控制）将用户与Role或ClusterRole绑定在一起，授予他们不同的权限。我的猜测是服务帐户不应该知道存在哪些其他命名空间，因此无权列出它们。

在“修复”这个方面，除了创建具有正确权限的serviceaccount / user之外，该教程还对$HOME/.kube/config存储的配置文件进行了多次引用，该文件存储了应该具有访问权限的用户的凭据。集群级资源，包括列出名称空间。你可以从那里开始。

While I haven't run through that tutorial, the service account with which you're making the request doesn't have access to cluster-level information, like listing namespaces. RBAC (Role-Based Access Control) binds users with either a Role or a ClusterRole, which grant them different permissions. My guess is that service account shouldn't ever need to know what other namespaces exist, therefore doesn't have access to list them.

In terms of "fixing" this, aside from creating a serviceaccount/user with correct permissions, that tutorial makes several references to a config file stored at $HOME/.kube/config, which stores the credentials for a user that should have access to cluster-level resources, including listing namespaces. You could start there.

更多推荐

本文发布于:2023-08-05 17:01:00，感谢您对本站的认可！

本文链接:https://www.elefans.com/category/jswz/34/1436676.html