为GKE部署,服务等启用REST API

时间:2020-07-13 13:28:18

标签: kubernetes google-cloud-platform google-kubernetes-engine kubernetes-apiserver

我正在尝试使用REST API在GKE上部署应用程序。但是,GKE文档杂乱无章,并且不清楚如何启用Kubernetes REST API访问。

这里有人对如何在Google Cloud上的Kubernetes集群上创建部署有清晰的想法吗? 如果是,我很想知道启用该功能的详细步骤。目前,这就是我得到的。

https://xx.xx.xx.xx/apis/apps/v1/namespaces/default/deployments/nginx-1尽管有有效的授权令牌,但GET调用仍提供以下JSON输出

{
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "deployments.apps \"nginx-1\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"deployments\" in API group \"apps\" in the namespace \"default\"",
    "reason": "Forbidden",
    "details": {
        "name": "nginx-1",
        "group": "apps",
        "kind": "deployments"
    },
    "code": 403
}

但是似乎已启用管理API:

遵循this link上的说明并执行以下命令:

# Check all possible clusters, as your .KUBECONFIG may have multiple contexts:
kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'

# Select name of cluster you want to interact with from above output:
export CLUSTER_NAME="some_server_name"

# Point to the API server referring the cluster name
APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")

# Gets the token value
TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 --decode)

# Explore the API with TOKEN
curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure

提供所需的输出。

1 个答案:

答案 0 :(得分:0)

python migrate.py命名空间中的服务帐户default没有RBAC来对default命名空间中的get资源执行deployment动词。

defaultrole下使用,以向服务帐户提供必要的权限。

rolebinding

要验证权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: deployment-reader
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-deployment
  namespace: default
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
  name: default # "name" is case sensitive
  namespace: default
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: deployment-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io
相关问题
最新问题