尝试从 pod 访问 Kubernetes API 时出现 403 禁止错误
403 Forbidden error when trying to access Kubernetes API from a pod
As per this Documentation,我正在尝试使用以下命令从 pod 访问 Kuberenetes API
curl --cacert ca.crt -H "Authorization: Bearer $(<token)" https://kubernetes/apis/extensions/v1beta1/namespaces/default/deployments/ballerina-prime/scale
遵循以下模板
curl --cacert ca.crt -H "Authorization: Bearer $(<token)" https://kubernetes/apis/extensions/v1beta1/namespaces/{namespace}/deployments/{name}/scale
它抛出以下错误
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "deployments.extensions \"ballerina-prime\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"deployments/scale\" in API group \"extensions\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "ballerina-prime",
"group": "extensions",
"kind": "deployments"
},
"code": 403
}
有人可以指出我在哪里犯了错误或建议我可以访问 Kubernetes 的任何其他方式 API 吗?
更新 01
我按照文档建议创建了一个角色。以下是我使用的清单。
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: deployments-and-deployements-scale
rules:
- apiGroups: [""]
resources: ["deployments", "deployments/scale"]
verbs: ["get", "list"]
我使用这个命令应用了它。 kubectl apply -f deployments-and-deployements-scale.yaml。我仍然无法访问所需的端点。我哪里出错了?
首先,您正确连接到 kubernetes API!
但是您使用的默认服务帐户 ("user") 没有执行您想要执行的操作所需的权限。 (读取命名空间 'default' 中的部署 'ballerina-prima')
您需要执行的操作:使用不同的服务帐户或授予默认服务帐户所需的权限。
您可以在文档中找到详细信息:https://kubernetes.io/docs/reference/access-authn-authz/rbac/
正如@Thomas 在他的回答下方的评论中提到的,您需要指定特定的 Role to the target Service account via RoleBinding resource in order to fix this authorization 问题。
参考您的清单:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: deployments-and-deployements-scale
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "deployments/scale"]
verbs: ["get", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployments-and-deployements-scale-rb
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: Role
name: deployments-and-deployements-scale
apiGroup: ""
您可以考虑在角色定义中明确设置 apiGroups:,匹配特定的 API 组,或者广泛 ["*"] 搜索所有 API 版本。
As per this Documentation,我正在尝试使用以下命令从 pod 访问 Kuberenetes API
curl --cacert ca.crt -H "Authorization: Bearer $(<token)" https://kubernetes/apis/extensions/v1beta1/namespaces/default/deployments/ballerina-prime/scale
遵循以下模板
curl --cacert ca.crt -H "Authorization: Bearer $(<token)" https://kubernetes/apis/extensions/v1beta1/namespaces/{namespace}/deployments/{name}/scale
它抛出以下错误
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "deployments.extensions \"ballerina-prime\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"deployments/scale\" in API group \"extensions\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "ballerina-prime",
"group": "extensions",
"kind": "deployments"
},
"code": 403
}
有人可以指出我在哪里犯了错误或建议我可以访问 Kubernetes 的任何其他方式 API 吗?
更新 01
我按照文档建议创建了一个角色。以下是我使用的清单。
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: deployments-and-deployements-scale
rules:
- apiGroups: [""]
resources: ["deployments", "deployments/scale"]
verbs: ["get", "list"]
我使用这个命令应用了它。 kubectl apply -f deployments-and-deployements-scale.yaml。我仍然无法访问所需的端点。我哪里出错了?
首先,您正确连接到 kubernetes API!
但是您使用的默认服务帐户 ("user") 没有执行您想要执行的操作所需的权限。 (读取命名空间 'default' 中的部署 'ballerina-prima')
您需要执行的操作:使用不同的服务帐户或授予默认服务帐户所需的权限。
您可以在文档中找到详细信息:https://kubernetes.io/docs/reference/access-authn-authz/rbac/
正如@Thomas 在他的回答下方的评论中提到的,您需要指定特定的 Role to the target Service account via RoleBinding resource in order to fix this authorization 问题。
参考您的清单:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: deployments-and-deployements-scale
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "deployments/scale"]
verbs: ["get", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployments-and-deployements-scale-rb
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: Role
name: deployments-and-deployements-scale
apiGroup: ""
您可以考虑在角色定义中明确设置 apiGroups:,匹配特定的 API 组,或者广泛 ["*"] 搜索所有 API 版本。