forbidden: User , "code": 使用 curl 访问 kube-apiserver 时出现 403 错误
forbidden: User , "code": 403 error while accessing kube-apiserver using curl
Kubernetes 版本:v1.19.0
我已经创建了一个用户并使用角色 cluster-admin 执行了 clusterrolebinding。
[root@project1-master ~]# kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
[root@project1-master ~]# kubectl describe clusterrolebinding sajeesh cluster-admin
Name: sajeesh
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
User sajeesh
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters
I am able to run kubectl with this useraccount and get pods information :
[root@project1-master ~]# kubectl get pods --as sajeesh
NAME READY STATUS RESTARTS AGE
busyb 1/1 Running 3 21h
But when i try to access kube-apiserver using curl it show forbidden error as following :
[root@project1-master ~]# curl --cacert /etc/kubernetes/pki/ca.crt --cert sajeesh.crt --key sajeesh.key https://$IP:6443/api/v1/namespaces/default/pods/busyb
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods \"busyb\" is forbidden: User \"system:anonymous\" cannot get resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "busyb",
"kind": "pods"
},
"code": 403
I have re-verified the cacert , cert & key i am providing with that user account .They are correct.
Any suggestions why this is happening and how to fix it.
clusterrolebinding sajeesh 具有名称 sajeesh 和组 system:masters。因此证书需要 sajeesh 作为通用名称 (CN) 和 system:masters作为组织(O)。当请求转到 kubernetes API 服务器时,它将检查证书并将 CN 与 name 和 O 与 clusterrolebinding 中的 Group 匹配,如果它不匹配你得到 403 Forbidden 错误。
您可以通过 运行 下面的命令
验证以上内容
openssl x509 -in sajeesh.crt -text -noout
最终发现 problem.it 与 kubernetes 无关,但我正在使用 curl 命令。
curl --cacert /etc/kubernetes/pki/ca.crt --cert sajeesh.crt --key sajeesh.key https://$IP:6443/api/v1/namespaces/default/pods/busyb
当我将 -v 开关与命令一起使用时,它显示:
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/kubernetes/pki/ca.crt
CApath: none
* warning: certificate file name "sajeesh.crt" handled as nickname; please use "./sajeesh.crt" to force file name
* NSS: client certificate not found: newsajeesh.crt
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
所以基本上它是在寻找绝对路径作为参数的输入 --cert & --key
curl --cacert /etc/kubernetes/pki/ca.crt --cert ./sajeesh.crt --key ./sajeesh.key https://$IP:6443/api/v1/namespaces/default/pods/busyb
在给出绝对路径后它工作正常,我能够得到输出。
Kubernetes 版本:v1.19.0
我已经创建了一个用户并使用角色 cluster-admin 执行了 clusterrolebinding。
[root@project1-master ~]# kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
[root@project1-master ~]# kubectl describe clusterrolebinding sajeesh cluster-admin
Name: sajeesh
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
User sajeesh
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:masters
I am able to run kubectl with this useraccount and get pods information :
[root@project1-master ~]# kubectl get pods --as sajeesh
NAME READY STATUS RESTARTS AGE
busyb 1/1 Running 3 21h
But when i try to access kube-apiserver using curl it show forbidden error as following :
[root@project1-master ~]# curl --cacert /etc/kubernetes/pki/ca.crt --cert sajeesh.crt --key sajeesh.key https://$IP:6443/api/v1/namespaces/default/pods/busyb
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods \"busyb\" is forbidden: User \"system:anonymous\" cannot get resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "busyb",
"kind": "pods"
},
"code": 403
I have re-verified the cacert , cert & key i am providing with that user account .They are correct.
Any suggestions why this is happening and how to fix it.
clusterrolebinding sajeesh 具有名称 sajeesh 和组 system:masters。因此证书需要 sajeesh 作为通用名称 (CN) 和 system:masters作为组织(O)。当请求转到 kubernetes API 服务器时,它将检查证书并将 CN 与 name 和 O 与 clusterrolebinding 中的 Group 匹配,如果它不匹配你得到 403 Forbidden 错误。
您可以通过 运行 下面的命令
验证以上内容openssl x509 -in sajeesh.crt -text -noout
最终发现 problem.it 与 kubernetes 无关,但我正在使用 curl 命令。
curl --cacert /etc/kubernetes/pki/ca.crt --cert sajeesh.crt --key sajeesh.key https://$IP:6443/api/v1/namespaces/default/pods/busyb
当我将 -v 开关与命令一起使用时,它显示:
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/kubernetes/pki/ca.crt
CApath: none
* warning: certificate file name "sajeesh.crt" handled as nickname; please use "./sajeesh.crt" to force file name
* NSS: client certificate not found: newsajeesh.crt
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
所以基本上它是在寻找绝对路径作为参数的输入 --cert & --key
curl --cacert /etc/kubernetes/pki/ca.crt --cert ./sajeesh.crt --key ./sajeesh.key https://$IP:6443/api/v1/namespaces/default/pods/busyb
在给出绝对路径后它工作正常,我能够得到输出。