开启了一个api-server,如何具有权限访问这个服务
api-server开启的api-server 脚本如下
/root/k8s/kubernetes/server/bin/kube-apiserver \
--log-dir=/root/k8s/kubernetes/log/kube-apiserver \
--log-file=/root/k8s/kubernetes/log/kube-apiserver/log.log \
--logtostderr=true \
--allow-privileged=true \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--advertise-address=192.168.123.78 \
--service-cluster-ip-range=10.96.0.0/12 \
--service-node-port-range=30000-32767 \
--etcd-servers=https://192.168.123.78:2379,https://192.168.123.79:2379,https://192.168.123.80:2379 \
--etcd-cafile=/root/certs/ca.pem \
--etcd-certfile=/root/certs/etcd.pem \
--etcd-keyfile=/root/certs/etcd-key.pem \
--tls-cert-file=/root/certs/api-server.pem \
--tls-private-key-file=/root/certs/api-server-key.pem \
--client-ca-file=/root/certs/ca.pem \
--kubelet-client-certificate=/root/certs/client.pem \
--kubelet-client-key=/root/certs/client-key.pem \
--service-account-key-file=/root/certs/api-server.pem \
--service-account-signing-key-file=/root/certs/api-server-key.pem \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--kubelet-preferred-address-types=Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--requestheader-client-ca-file=/root/certs/ca.pem \
--proxy-client-cert-file=/root/certs/proxy.pem \
--proxy-client-key-file=/root/certs/proxy-key.pem \
--requestheader-allowed-names="" \
--requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-username-headers=X-Remote-User
利用其中的
--kubelet-client-certificate
和
--kubelet-client-key
生成了一个config
/root/k8s/kubernetes/server/bin/kubectl config set-cluster kubernetes --certificate-authority=/root/certs/ca.pem --embed-certs=true --server=https://192.168.123.78:6443 --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
/root/k8s/kubernetes/server/bin/kubectl config set-credentials kubernetes-admin --client-certificate=/root/certs/client.pem --client-key=/root/certs/client-key.pem --embed-certs=true --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
/root/k8s/kubernetes/server/bin/kubectl config set-context kubernetes-admin@kubernetes --cluster=kubernetes --user=kubernetes-admin --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
/root/k8s/kubernetes/server/bin/kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig
然后当我用admin.kubeconfig进行访问的时候,出现了 403 的问题
./kubectl get cs --kubeconfig=/root/k8s/kubernetes/server/bin/admin.kubeconfig -v=9
<<<<<
Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/api\"","reason":"Forbidden","details":{},"code":403}
I1002 21:44:12.604038 227095 round_trippers.go:466] curl -v -XGET -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.25.2 (linux/amd64) kubernetes/5835544" 'https://192.168.123.78:6443/apis?timeout=32s'
有大佬知道是什么原因吗, 或者说一个新开的 API-SERVER 的所谓的管理员账号密码是在哪里= =,如何访问api-server呢
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.