Fatal编程技术网
  • kubernetes/
  • Kubernetes kubectl-错误:您必须在裸机上登录到服务器

Kubernetes kubectl-错误:您必须在裸机上登录到服务器

kubernetes

Kubernetes kubectl-错误:您必须在裸机上登录到服务器,kubernetes,rbac,Kubernetes,Rbac,我创建了csr并批准了它- $ kubectl get csr NAME AGE REQUESTOR CONDITION parth-csr 28m kubernetes-admin Approved,Issued 仅使用用户名为parth和group devs的kubectl创建证书 Issuer: CN=kubernetes Validity Not Before: Dec 16 18:

我创建了csr并批准了它-

$ kubectl get csr
NAME        AGE   REQUESTOR          CONDITION
parth-csr   28m   kubernetes-admin   Approved,Issued
仅使用用户名为parth和group devs的kubectl创建证书

        Issuer: CN=kubernetes
        Validity
            Not Before: Dec 16 18:51:00 2019 GMT
            Not After : Dec 15 18:51:00 2020 GMT
        Subject: O=devs, CN=parth
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
在这里,我想在group-devs的基础上进行身份验证。

Clusterrole.yaml如下所示-

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devs
rules:
  - apiGroups: [""]
    resources: ["nodes", "pods", "secrets", "pods", "pods/log", "configmaps", "services", "endpoints", "deployments", "jobs", "crontabs"]
    verbs: ["get", "watch", "list"]
Clusterrolebinding.yaml as

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devs-clusterrolebinding
subjects:
- kind: Group
  name: devs # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: devs
  apiGroup: rbac.authorization.k8s.io
Kubeconfig文件如下所示-

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: XXXXXXXXXXXXX
    server: https://XX.XX.XX.XX:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: parth
  name: dev
current-context: "dev"
kind: Config
preferences: {}
users:
- name: parth
  user:
    client-certificate: /etc/kubernetes/access-credentials/parth/parth.crt
    client-key: /etc/kubernetes/access-credentials/parth/parth.key
由于我只想使用组进行身份验证,因此出现以下错误-

$ kubectl get nodes
error: You must be logged in to the server (Unauthorized)
我在裸机上运行k8s。
来自官方文档的基于组的身份验证引用-

我看到您已将权限授予组,而不是用户。在这种情况下,您需要使用模拟作为组

kubectl get nodes --as-group=devs
在使用APIServerCA对证书进行手动签名之后,它得到了修复

我现在收到以下错误-“$kubectl get nodes--as group=devs错误:在不模拟用户的情况下请求组或用户额外的”@ParthWadhwa您是否尝试添加一个ClusterRoleBinding,为您的用户绑定用户类型的主题?看看效果如何?`kind:ClusterRoleBinding apiVersion:rbac.authorization.k8s.io/v1元数据:name:parth ClusterRoleBinding主题:-kind:User name:parth#name区分大小写apiGroup:rbac.authorization.k8s.io roleRef:kind:ClusterRole name:devs apiGroup:rbac.authorization.k8s.io`@Shambu即使在创建绑定类用户主题的clusterrolebinding我也面临同样的问题。你能详细说明一下你是如何做到这一点的吗?