问题
如何使用客户端证书访问 API 服务器 API?在下面尝试但没有成功。
export K8S_PKI_HOME=/etc/kubernetes/pki
curl -k --key ${K8S_PKI_HOME}/ca.key --cert ${K8S_PKI_HOME}/ca.crt \
https://localhost:6443/api/v1/componentstatuses
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "componentstatuses is forbidden: User \"kubernetes\" cannot list componentstatuses at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "componentstatuses"
},
"code": 403
}
通过将 --client-ca-file=SOMEFILE 选项传递给 API 服务器来启用客户端证书身份验证。
在 /etc/kubernetes/manifests/kube-apiserver.yaml 中,指定了--client-ca-file=/etc/kubernetes/pki/ca.crt。
spec:
containers:
- command:
- kube-apiserver
- --client-ca-file=/etc/kubernetes/pki/ca.crt