kubernetes pods 被禁止:用户 "user1" 无法在命名空间 "stage" 中列出 pods
kubernetes pods is forbidden: User "user1" cannot list pods in the namespace "stage"
在阿里巴巴容器服务中测试基于角色的访问时,它向我抛出错误 "pods is forbidden: User "user1" cannot list pods in the namespace "stage"" 这是 RBAC 问题,我无法弄清楚我在哪里弄错了
角色绑定定义
root@kube-master:# kubectl describe rolebinding stage-role-binding -n stage
Name: stage-role-binding
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: staging
Subjects:
Kind Name Namespace
---- ---- ---------
User user2
角色定义
root@kube-master:# kubectl describe role -n stage
Name: staging
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
deployments [] [] [get list watch create update patch delete]
pods [] [] [get list watch create update patch delete]
replicasets [] [] [get list watch create update patch delete]
deployments.apps [] [] [get list watch create update patch delete]
pods.apps [] [] [get list watch create update patch delete]
replicasets.apps [] [] [get list watch create update patch delete]
deployments.extensions [] [] [get list watch create update patch delete]
pods.extensions [] [] [get list watch create update patch delete]
replicasets.extensions [] [] [get list watch create update patch delete]
一个 pod 运行 在 stage namespace
root@kube-master:# kubectl get pods -n stage
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 0 10m
定义上下文
root@kube-master:# kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
Context "stage" modified.
测试 RBAC
root@kube-master:/home/ansible# kubectl --context=stage get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "user1" cannot list pods in the namespace "stage"
不确定来自哪里 user1
is coming and throwing the RBAC Error
只为 user2
设置了 context
root@kube-master:# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
stage kubernetes user2 stage
这就是我创建用户的方式
openssl genrsa -out user2.key 2048
openssl req -new -key user2.key -out user2.csr -subj "/CN=user1/O=8gwifi.org"
openssl x509 -req -in user2.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user2.crt -days 500
kubectl config set-credentials user2 --client-certificate=user2.crt --client-key=user2.key
kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
RoleBinding 适用于用户 user2,不适用于 user1。这就是您收到 RBAC 错误的原因。
为用户 user2 设置上下文并不意味着 kubernetes 会将此用户识别为 user2。这取决于您使用的凭证。如果使用的凭证是用户 user-x,那么 kubernetes 会将其视为 user-x。 context user 用于 kubectl 查找用户凭证信息。要了解 kubernetes 身份验证,请参阅 here。
您在此处使用的凭据已解析为用户 user1。因此,您应该将 RoleBinding 更新为 user1.
问题更新后
对于证书认证,CN 将是用户名(参考:here)。
在您的证书 "/CN=user1/O=8gwifi.org" 中,用户名将是 user1 而不是 user2.
在阿里巴巴容器服务中测试基于角色的访问时,它向我抛出错误 "pods is forbidden: User "user1" cannot list pods in the namespace "stage"" 这是 RBAC 问题,我无法弄清楚我在哪里弄错了
角色绑定定义
root@kube-master:# kubectl describe rolebinding stage-role-binding -n stage
Name: stage-role-binding
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: staging
Subjects:
Kind Name Namespace
---- ---- ---------
User user2
角色定义
root@kube-master:# kubectl describe role -n stage
Name: staging
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
deployments [] [] [get list watch create update patch delete]
pods [] [] [get list watch create update patch delete]
replicasets [] [] [get list watch create update patch delete]
deployments.apps [] [] [get list watch create update patch delete]
pods.apps [] [] [get list watch create update patch delete]
replicasets.apps [] [] [get list watch create update patch delete]
deployments.extensions [] [] [get list watch create update patch delete]
pods.extensions [] [] [get list watch create update patch delete]
replicasets.extensions [] [] [get list watch create update patch delete]
一个 pod 运行 在 stage namespace
root@kube-master:# kubectl get pods -n stage
NAME READY STATUS RESTARTS AGE
busybox 1/1 Running 0 10m
定义上下文
root@kube-master:# kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
Context "stage" modified.
测试 RBAC
root@kube-master:/home/ansible# kubectl --context=stage get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "user1" cannot list pods in the namespace "stage"
不确定来自哪里 user1
is coming and throwing the RBAC Error
只为 user2
设置了 contextroot@kube-master:# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kubernetes-admin@kubernetes kubernetes kubernetes-admin
stage kubernetes user2 stage
这就是我创建用户的方式
openssl genrsa -out user2.key 2048
openssl req -new -key user2.key -out user2.csr -subj "/CN=user1/O=8gwifi.org"
openssl x509 -req -in user2.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user2.crt -days 500
kubectl config set-credentials user2 --client-certificate=user2.crt --client-key=user2.key
kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
RoleBinding 适用于用户 user2,不适用于 user1。这就是您收到 RBAC 错误的原因。
为用户 user2 设置上下文并不意味着 kubernetes 会将此用户识别为 user2。这取决于您使用的凭证。如果使用的凭证是用户 user-x,那么 kubernetes 会将其视为 user-x。 context user 用于 kubectl 查找用户凭证信息。要了解 kubernetes 身份验证,请参阅 here。
您在此处使用的凭据已解析为用户 user1。因此,您应该将 RoleBinding 更新为 user1.
问题更新后
对于证书认证,CN 将是用户名(参考:here)。
在您的证书 "/CN=user1/O=8gwifi.org" 中,用户名将是 user1 而不是 user2.