Kubernetes kubectl-错误:您必须在裸机上登录到服务器
我创建了csr并批准了它-Kubernetes kubectl-错误:您必须在裸机上登录到服务器,kubernetes,rbac,Kubernetes,Rbac,我创建了csr并批准了它- $ kubectl get csr NAME AGE REQUESTOR CONDITION parth-csr 28m kubernetes-admin Approved,Issued 仅使用用户名为parth和group devs的kubectl创建证书 Issuer: CN=kubernetes Validity Not Before: Dec 16 18:
$ kubectl get csr
NAME AGE REQUESTOR CONDITION
parth-csr 28m kubernetes-admin Approved,Issued
仅使用用户名为parth和group devs的kubectl创建证书
Issuer: CN=kubernetes
Validity
Not Before: Dec 16 18:51:00 2019 GMT
Not After : Dec 15 18:51:00 2020 GMT
Subject: O=devs, CN=parth
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
在这里,我想在group-devs的基础上进行身份验证。Clusterrole.yaml如下所示-
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devs
rules:
- apiGroups: [""]
resources: ["nodes", "pods", "secrets", "pods", "pods/log", "configmaps", "services", "endpoints", "deployments", "jobs", "crontabs"]
verbs: ["get", "watch", "list"]
Clusterrolebinding.yaml as
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: devs-clusterrolebinding
subjects:
- kind: Group
name: devs # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: devs
apiGroup: rbac.authorization.k8s.io
Kubeconfig文件如下所示-
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: XXXXXXXXXXXXX
server: https://XX.XX.XX.XX:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: parth
name: dev
current-context: "dev"
kind: Config
preferences: {}
users:
- name: parth
user:
client-certificate: /etc/kubernetes/access-credentials/parth/parth.crt
client-key: /etc/kubernetes/access-credentials/parth/parth.key
由于我只想使用组进行身份验证,因此出现以下错误-
$ kubectl get nodes
error: You must be logged in to the server (Unauthorized)
我在裸机上运行k8s。
来自官方文档的基于组的身份验证引用-我看到您已将权限授予组,而不是用户。在这种情况下,您需要使用模拟作为组
kubectl get nodes --as-group=devs
在使用APIServerCA对证书进行手动签名之后,它得到了修复 我现在收到以下错误-“$kubectl get nodes--as group=devs错误:在不模拟用户的情况下请求组或用户额外的”@ParthWadhwa您是否尝试添加一个ClusterRoleBinding,为您的用户绑定用户类型的主题?看看效果如何?`kind:ClusterRoleBinding apiVersion:rbac.authorization.k8s.io/v1元数据:name:parth ClusterRoleBinding主题:-kind:User name:parth#name区分大小写apiGroup:rbac.authorization.k8s.io roleRef:kind:ClusterRole name:devs apiGroup:rbac.authorization.k8s.io`@Shambu即使在创建绑定类用户主题的clusterrolebinding我也面临同样的问题。你能详细说明一下你是如何做到这一点的吗?