1

我正在尝试使用 REST API 在 GKE 上部署应用程序。但是,GKE 文档中的所有内容都混杂在一起,并且不清楚如何启用 Kubernetes REST API 访问。

这里有没有人清楚地知道如何在 Google Cloud 上的 Kubernetes 集群上创建部署?如果是,我很想知道启用它的详细步骤。目前,这就是我得到的。

https://xx.xx.xx.xx/apis/apps/v1/namespaces/default/deployments/nginx-1尽管授权令牌有效,GET 调用仍给出以下 JSON 输出

{
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "deployments.apps \"nginx-1\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"deployments\" in API group \"apps\" in the namespace \"default\"",
    "reason": "Forbidden",
    "details": {
        "name": "nginx-1",
        "group": "apps",
        "kind": "deployments"
    },
    "code": 403
}

然而,管理 API 似乎已启用:

按照此链接上的说明并执行以下命令:

# Check all possible clusters, as your .KUBECONFIG may have multiple contexts:
kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'

# Select name of cluster you want to interact with from above output:
export CLUSTER_NAME="some_server_name"

# Point to the API server referring the cluster name
APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")

# Gets the token value
TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 --decode)

# Explore the API with TOKEN
curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure

给出所需的输出。

4

1 回答 1

0

命名空间中的服务帐户没有 RBAC 来default对命名空间中的资源执行动词。defaultgetdeploymentdefault

在下方使用rolerolebinding为服务帐户提供必要的权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: deployment-reader
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-deployment
  namespace: default
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
  name: default # "name" is case sensitive
  namespace: default
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: deployment-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

验证权限

kubectl auth can-i get deployments --as=system:serviceaccount:default:default -n default
yes
于 2020-07-13T13:43:32.800 回答