我是Kubernetes的新手,我尝试访问时遇到代码错误403。
kubectl cluster info
Kubernetes master is running at https://x.x.x.x:6443
KubeDNS is running at https://x.x.x.x:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
"status": "Failure",
"message": "namespaces is forbidden: User \"system:anonymous\" cannot list namespaces at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "namespaces"
},
"code": 403
kubectl get pods --all-namespaces
kube-system calico-etcd-6629s 1/1 Running 0 10h
kube-system calico-kube-controllers-675684d4bb-5h28d 1/1 Running 0 10h
kube-system calico-node-r75wv 2/2 Running 0 10h
kube-system etcd-sp2013a.... 1/1 Running 0 10h
kube-system kube-apiserver-sp2013a ... 1/1 Running 0 10h
kube-system kube-controller-manager-sp2013a.... 1/1 Running 0 10h
kube-system kube-dns-6f4....df-fcqvt 3/3 Running 0 10h
kube-system kube-proxy-mpf2j 1/1 Running 0 10h
kube-system kube-scheduler-sp2013a...... 1/1 Running 0 10h
一切都在运行..
答案 0 :(得分:0)
这听起来像是您被集群的RBAC策略所阻止。禁止system:anonymous用户列出集群中的名称空间。
(沿kubectl get namespaces的行)
运行kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous将创建一个clusterrolebinding,将system:anonymous用户添加到cluster-admin角色中。
盲目将帐户提升到cluster-admin,但由于您是新手,因此应该可以正常运行。
所有集群在访问API服务器(访问kubectl)之前都需要某种形式的授权,例如证书身份验证。 RBAC是一种限制用户(人类用户和服务帐户)可以在集群中执行的动作的方法。