如何解决Kubernetes 从外部访问指标服务器 API
我正在尝试在不使用 kubectl proxy
的情况下访问 k8s 集群的指标服务器。在 https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#without-kubectl-proxy 找到教程后,我遇到了一个问题。
在发出请求 curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq
时,我收到以下权限错误:
curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq 11:58AM
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 386 100 386 0 0 2064 0 --:--:-- --:--:-- --:--:-- 2064
{
"kind": "Status","apiVersion": "v1","Metadata": {},"status": "Failure","message": "nodes.metrics.k8s.io is forbidden: User \"system:serviceaccount:default:default\" cannot list resource \"nodes\" in API group \"metrics.k8s.io\" at the cluster scope","reason": "Forbidden","details": {
"group": "metrics.k8s.io","kind": "nodes"
},"code": 403
}
我尝试使用以下 ClusterRoleBinding 创建自定义 ServiceAccount testaccount
:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
Metadata:
name: test-admin
rules:
- apiGroups: [""]
resources: ["pods","nodes"]
verbs: ["get","watch","list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
Metadata:
name: test-rbac
subjects:
- kind: ServiceAccount
name: testaccount
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
我已经尝试使用包含的 ClusterRole 以及 cluster-admin
集群角色。使用这些更改后生成的令牌,我仍然遇到相同的 curl 错误。
解决方法
我发现需要修改的是 apiGroups
。以下 ClusterRole 和 ClusterRoleBinding 有效:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: test-admin
rules:
- apiGroups: ["*"] # This was the change
resources: ["pods","nodes"]
verbs: ["get","watch","list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: test-rbac
subjects:
- kind: ServiceAccount
name: testaccount
namespace: default
roleRef:
kind: ClusterRole
name: test-admin
apiGroup: rbac.authorization.k8s.io
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。