我正在尝试将命令执行到Pod中,但我不断收到错误unable to upgrade connection: Forbidden
我正在尝试通过kubectl proxy来测试开发中的代码,该方法适用于所有其他操作,例如创建部署或删除它,但是它不适用于执行命令,我读到我需要{ {1}}因此,我创建了一个具有类似角色的服务帐户
pods/exec然后我检索服务帐户的不记名令牌,并尝试在我的代码中使用它
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-sa
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-view-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-exec-view-role
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get","create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods-svc-account
namespace: default
subjects:
- kind: ServiceAccount
name: dev-sa
roleRef:
kind: Role
name: pod-view-role
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods-exec-svc-account
namespace: default
subjects:
- kind: ServiceAccount
name: dev-sa
roleRef:
kind: Role
name: pod-exec-view-role
apiGroup: rbac.authorization.k8s.io
然后我尝试运行OpenShift example使其执行到pod
func getK8sConfig() *rest.Config {
// creates the in-cluster config
var config *rest.Config
fmt.Println(os.Getenv("DEVELOPMENT"))
if os.Getenv("DEVELOPMENT") != "" {
//when doing local development, mount k8s api via `kubectl proxy`
fmt.Println("DEVELOPMENT")
config = &rest.Config{
Host: "http://localhost:8001",
TLSClientConfig: rest.TLSClientConfig{Insecure: true},
APIPath: "/",
BearerToken: "eyJhbGciOiJSUzI1NiIsImtpZCI6InFETTJ6R21jMS1NRVpTOER0SnUwdVg1Q05XeDZLV2NKVTdMUnlsZWtUa28ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRldi1zYS10b2tlbi14eGxuaiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZXYtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJmZDVhMzRjNy0wZTkwLTQxNTctYmY0Zi02Yjg4MzIwYWIzMDgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpkZXYtc2EifQ.woZ6Bmkkw-BMV-_UX0Y-S_Lkb6H9zqKZX2aNhyy7valbYIZfIzrDqJYWV9q2SwCP20jBfdsDS40nDcMnHJPE5jZHkTajAV6eAnoq4EspRqORtLGFnVV-JR-okxtvhhQpsw5MdZacJk36ED6Hg8If5uTOF7VF5r70dP7WYBMFiZ3HSlJBnbu7QoTKFmbJ1MafsTQ2RBA37IJPkqi3OHvPadTux6UdMI8LlY7bLkZkaryYR36kwIzSqsYgsnefmm4eZkZzpCeyS9scm9lPjeyQTyCAhftlxfw8m_fsV0EDhmybZCjgJi4R49leJYkHdpnCSkubj87kJAbGMwvLhMhFFQ",
}
} else {
var err error
config, err = rest.InClusterConfig()
if err != nil {
panic(err.Error())
}
}
return config
}
因此,似乎承载令牌已被忽略并且变得僵硬,我正在获得kubectl管理员的特权。
如何强制其余客户端使用提供的承载令牌? 这是将命令执行到Pod中的正确方法吗?
答案 0 :(得分:1)
您正在获取privileges of the kubectl admin,因为您正在连接
通过localhost公开的kubeproxy端点。这已经授权您
您的管理员凭据。
我已复制了此代码,并提出了以下解决方案:
您想要做的是直接连接到API服务器。 要检索API地址,请使用以下命令:
$ kubectl cluster-info
然后将localhost地址替换为APIserverIP地址
...
config = &rest.Config{
Host: "<APIserverIP:port>",
TLSClientConfig: rest.TLSClientConfig{Insecure: true},
...
您的代码正在创建一个pod,因此您还需要添加create和delete权限
到您的Service Account
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-view-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "get", "list", "watch"]
让我知道是否有帮助。