Kubernetes 版本:v1.19.0
我创建了一个用户并使用角色 cluster-admin 执行了 clusterrolebinding。
[root@project1-master ~]# kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
[root@project1-master ~]# kubectl describe clusterrolebinding sajeesh cluster-admin
Name: sajeesh
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
User sajeesh
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters
我可以使用这个用户帐户运行 kubectl 并获取 pod 信息:
[root@project1-master ~]# kubectl get pods --as sajeesh
NAME READY STATUS RESTARTS AGE
busyb 1/1 Running 3 21h
但是当我尝试使用 curl 访问 kube-apiserver 时,它显示禁止错误如下:
[root@project1-master ~]# curl --cacert /etc/kubernetes/pki/ca.crt --cert sajeesh.crt --key sajeesh.key https://$IP:6443/api/v1/namespaces/default/pods/busyb
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods \"busyb\" is forbidden: User \"system:anonymous\" cannot get resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "busyb",
"kind": "pods"
},
"code": 403
我已经重新验证了我为该用户帐户提供的 cacert 、证书和密钥。它们是正确的。
任何建议为什么会发生这种情况以及如何解决它。