Kubernetes 访问指标服务器 API 外部
Kubernetes Access metrics server API externally
我试图在不使用 kubectl proxy 的情况下访问 k8s 集群的指标服务器。在 https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#without-kubectl-proxy 找到教程后,我 运行 遇到了一个问题。
发出请求时 curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq 我收到以下权限错误:
curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq 11:58AM
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 386 100 386 0 0 2064 0 --:--:-- --:--:-- --:--:-- 2064
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "nodes.metrics.k8s.io is forbidden: User \"system:serviceaccount:default:default\" cannot list resource \"nodes\" in API group \"metrics.k8s.io\" at the cluster scope",
"reason": "Forbidden",
"details": {
"group": "metrics.k8s.io",
"kind": "nodes"
},
"code": 403
}
我尝试使用以下 ClusterRoleBinding 创建自定义 ServiceAccount testaccount:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: test-admin
rules:
- apiGroups: [""]
resources: ["pods", "nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: test-rbac
subjects:
- kind: ServiceAccount
name: testaccount
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
我已经尝试使用包含的 ClusterRole 以及 cluster-admin 集群角色。使用这些更改后生成的令牌,我仍然遇到相同的 curl 错误。
我发现是 apiGroups 需要修改。以下 ClusterRole 和 ClusterRoleBinding 有效:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: test-admin
rules:
- apiGroups: ["*"] # This was the change
resources: ["pods", "nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: test-rbac
subjects:
- kind: ServiceAccount
name: testaccount
namespace: default
roleRef:
kind: ClusterRole
name: test-admin
apiGroup: rbac.authorization.k8s.io
我试图在不使用 kubectl proxy 的情况下访问 k8s 集群的指标服务器。在 https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#without-kubectl-proxy 找到教程后,我 运行 遇到了一个问题。
发出请求时 curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq 我收到以下权限错误:
curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq 11:58AM
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 386 100 386 0 0 2064 0 --:--:-- --:--:-- --:--:-- 2064
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "nodes.metrics.k8s.io is forbidden: User \"system:serviceaccount:default:default\" cannot list resource \"nodes\" in API group \"metrics.k8s.io\" at the cluster scope",
"reason": "Forbidden",
"details": {
"group": "metrics.k8s.io",
"kind": "nodes"
},
"code": 403
}
我尝试使用以下 ClusterRoleBinding 创建自定义 ServiceAccount testaccount:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: test-admin
rules:
- apiGroups: [""]
resources: ["pods", "nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: test-rbac
subjects:
- kind: ServiceAccount
name: testaccount
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
我已经尝试使用包含的 ClusterRole 以及 cluster-admin 集群角色。使用这些更改后生成的令牌,我仍然遇到相同的 curl 错误。
我发现是 apiGroups 需要修改。以下 ClusterRole 和 ClusterRoleBinding 有效:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: test-admin
rules:
- apiGroups: ["*"] # This was the change
resources: ["pods", "nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: test-rbac
subjects:
- kind: ServiceAccount
name: testaccount
namespace: default
roleRef:
kind: ClusterRole
name: test-admin
apiGroup: rbac.authorization.k8s.io