我试图在不使用kubectl proxy的情况下访问k8s集群的指标服务器。在https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#without-kubectl-proxy找到教程后,我遇到了一个问题。
当请求curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq时,我得到以下权限错误:
curl -X GET $APISERVER/apis/metrics.k8s.io/v1beta1/nodes --header "Authorization: Bearer $TOKEN" --insecure | jq 11:58AM
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 386 100 386 0 0 2064 0 --:--:-- --:--:-- --:--:-- 2064
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "nodes.metrics.k8s.io is forbidden: User "system:serviceaccount:default:default" cannot list resource "nodes" in API group "metrics.k8s.io" at the cluster scope",
"reason": "Forbidden",
"details": {
"group": "metrics.k8s.io",
"kind": "nodes"
},
"code": 403
}
我尝试使用以下ClusterRoleBinding创建自定义ServiceAccounttestaccount:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: test-admin
rules:
- apiGroups: [""]
resources: ["pods", "nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: test-rbac
subjects:
- kind: ServiceAccount
name: testaccount
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
我已经对包含的ClusterRole和cluster-admin集群角色进行了尝试。对于这些更改后生成的令牌,我仍然得到相同的curl错误。
我发现需要修改的是apiGroups。下面的ClusterRole和ClusterRoleBinding工作:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: test-admin
rules:
- apiGroups: ["*"] # This was the change
resources: ["pods", "nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: test-rbac
subjects:
- kind: ServiceAccount
name: testaccount
namespace: default
roleRef:
kind: ClusterRole
name: test-admin
apiGroup: rbac.authorization.k8s.io