kubernetes - 无法使用新用户证书访问集群
kubernetes - can't access the cluster with new user certificate
我想在 kubernetes 中创建新的用户管理员,我执行了创建和授权证书的所有步骤,但是当我想访问 api 时,我收到授权错误。
我执行这些步骤来创建用户管理员:
1/openssl genrsa -out user.key 2048
2/openssl req -new -key user.key -out user.csr -subj "/CN=kube-user"
3/
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: user
spec:
request: $(cat user.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
4/k certificate approve user
5/k get csr user -o jsonpath='{.status.certificate}' | base64 --decode > user.crt
6/kubectl config view -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' --raw | base64 --decode - > ca.crt
7/
curl https://$Kube-Master-Ip:6443/api/v1 \
--key user.key \
--cert user.crt \
--cacert ca.crt
8/ 这是我收到的:
{
"kind":"Status",
"apiVersion":"v1",
"metadata":{},
"status":"Failure",
"message":"Unauthorized",
"reason":"Unatuhorized",
"code":401
}
document source: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
第2步命令错误。 admin 用户应该属于 system:masters 组。
openssl req -new -key user.key -out user.csr -subj "/CN=kube-user/O=system:masters"
我想在 kubernetes 中创建新的用户管理员,我执行了创建和授权证书的所有步骤,但是当我想访问 api 时,我收到授权错误。 我执行这些步骤来创建用户管理员:
1/openssl genrsa -out user.key 2048
2/openssl req -new -key user.key -out user.csr -subj "/CN=kube-user"
3/
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: user
spec:
request: $(cat user.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
4/k certificate approve user
5/k get csr user -o jsonpath='{.status.certificate}' | base64 --decode > user.crt
6/kubectl config view -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' --raw | base64 --decode - > ca.crt
7/
curl https://$Kube-Master-Ip:6443/api/v1 \
--key user.key \
--cert user.crt \
--cacert ca.crt
8/ 这是我收到的:
{
"kind":"Status",
"apiVersion":"v1",
"metadata":{},
"status":"Failure",
"message":"Unauthorized",
"reason":"Unatuhorized",
"code":401
}
document source: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
第2步命令错误。 admin 用户应该属于 system:masters 组。
openssl req -new -key user.key -out user.csr -subj "/CN=kube-user/O=system:masters"