- [root@master01 ~]# kubectl get pod -A
- NAMESPACE NAME READY STATUS RESTARTS AGE
- default myapp-test01-7d64789fb5-k5rx6 1/1 Running 1 4d20h
- default myapp-test01-7d64789fb5-q99mh 1/1 Running 1 4d20h
- kube-flannel kube-flannel-ds-bhcqx 1/1 Running 1 5d1h
- kube-flannel kube-flannel-ds-j8d6j 1/1 Running 1 5d1h
- kube-public nginx-wl-67f75b9476-7x445 1/1 Running 0 3d1h
- kube-system coredns-7f8c5c6967-wvzt4 0/1 Running 59 4d21h
- kubernetes-dashboard dashboard-metrics-scraper-5b8896d7fc-wqvls 1/1 Running 0 134m
- kubernetes-dashboard kubernetes-dashboard-897c7599f-l8z6n 0/1 CrashLoopBackOff 29 134m
- xy101 nginx1-794dd8cb7b-95gfw 1/1 Running 0 124m
- xy101 nginx1-794dd8cb7b-ps48f 1/1 Running 0 124m
- xy101 nginx1-794dd8cb7b-w58xs 1/1 Running 0 115m
- [root@master01 ~]# kubectl exec -it -n xy101 nginx1-794dd8cb7b-w58xs -- sh
- error: unable to upgrade connection: Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)
在执行 kubectl exec、run、logs 等命令时,apiserver 会将哀求转发到 kubelet 的 https 端口,并且我使用的 Kubernetes 集群启用了 RBAC。
这里界说 RBAC 规则,授权 apiserver 使用的证书(kubernetes.pem)用户名(CN:kuberntes-master)访问 kubelet API 的权限:
- [root@master01 ~]# kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes-master
- clusterrolebinding.rbac.authorization.k8s.io/kube-apiserver:kubelet-apis created
完成后再执行:
- kubectl exec -it -n xy101 nginx1-794dd8cb7b-w58xs -- sh
为 system:anonymous 临时绑定一个 cluster-admin 的权限
- [root@master01 ~]# kubectl create clusterrolebinding system:anonymous --clusterrole=cluster-admin --user=system:anonymous
- clusterrolebinding.rbac.authorization.k8s.io/system:anonymous created
- kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user=system:anonymous
|
