我们管理K8s主要有两种方式,1是通过服务器上面的kubectl客户端,第二个就是api方式进行访问
然后如果我们直接访问k8s 的api server,会报403,这是因为匿名账号没有权限,如下:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/api/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
1、新建管理员账号
新建一个createaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin #账号名
namespace: kube-system
或者执行
kubectl create sa admin -n kube-system
在服务器上面执行
[root@k8s-master-202 api_user]# kubectl apply -f createaccount.yaml
serviceaccount/admin created
查看新建的账号
[root@k8s-master-202 api_user]# kubectl get sa -n kube-system | grep admin
admin 1 63m
2、授权管理员权限
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
[root@centos7 ~]# kubectl apply -f rb.yaml
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/admin created
3、查看token
[root@centos7 ~]# kubectl get secret -n kube-system| grep admin
admin-token-jhhsh kubernetes.io/service-account-token 3 13m
[root@k8s-master-202 api_user]# kubectl describe secret admin-token-jhhsh -n kube-system | grep token
Name: hl-admin-token-nrsln
Type: kubernetes.io/service-account-token
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InJGclJZVlBhbdsfsdddgdJtTlItdXhxS2ppaUF5dFBuTERMZXQ2em8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJobC1hZG1pbi10b2tlbi1ucnNsbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJobC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjQ4OWFmMzM5LTU0OTUtNDBmZC05NDgzLTY4ZGYzMDM1NWE3MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpobC1hZG1pbiJ9.dWSleE3ko1cEn-ItLhrVRKz8ST9VVcMgonmZfmkDoAKPIqMx02zg_Ahq4aMawOx1v0xQwfz344rnZJTnJxkunMhMXBcaC5c4tYZc2UQPfx7OVkGKrwuw4B2LHolLKsjva_jJNcvvFjSlwS1n2L_5Bo_bFqgwokZlrBFvFiR0OcdlWV3FRbH3tF73X_jVF35olvjT8DNP7uuL-_PTMdB-LwMXZ3o3SsXnBF_duPLA30xQX_uIrodQmfQNkz4ykVI7gBgrPVQ7Cj93XZp5wf-hYd5UdTxsipj4fs6Y0iGeYQNX9kULUtjzCSQS7PUyCqu7RBT7idij6-lJYqDHUSfz1w
4、测试访问api-server
可以正常访问,这里用-k 忽略掉了https证书
[root@k8s-master-202 api_user]# curl -H "Authorization: Bearer eyJhbGciOiJSUzfdgdfgmtpZCI6InJGclJZVlBhblFDYmRfOWdKNTJtTlItdXhxS2ppaUF5dFBuTERMZXQ2em8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJobC1hZG1pbi10b2tlbi1ucnNsbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJobC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjQ4OWFmMzM5LTU0OTUtNDBmZC05NDgzLTY4ZGYzMDM1NWE3MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpobC1hZG1pbiJ9.dWSleE3ko1cEn-ItLhrVRKz8ST9VVcMgonmZfmkDoAKPIqMx02zg_Ahq4aMawOx1v0xQwfz344rnZJTnJxkunMhMXBcaC5c4tYZc2UQPfx7OVkGKrwuw4B2LHolLKsjva_jJNcvvFjSlwS1n2L_5Bo_bFqgwokZlrBFvFiR0OcdlWV3FRbH3tF73X_jVF35olvjT8DNP7uuL-_PTMdB-LwMXZ3o3SsXnBF_duPLA30xQX_uIrodQmfQNkz4ykVI7gBgrPVQ7Cj93XZp5wf-hYd5UdTxsipj4fs6Y0iGeYQNX9kULUtjzCSQS7PUyCqu7RBT7idij6-lJYqDHUSfz1w" -k https://192.168.2.202:6443/api/
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.200.202:6443"
}
]
}
5、使用https证书访问api-server
curl -H "Authorization: Bearer eyJhbGciOiJSUzdfssImtpZCIggg6InJGclJZVlBhblFDYmRfOWdKNTJtTlItdXhxS2ppaUF5dFBuTERMZXQ2em8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJobC1hZG1pbi10b2tlbi1ucnNsbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJobC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjQ4OWFmMzM5LTU0OTUtNDBmZC05NDgzLTY4ZGYzMDM1NWE3MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTpobC1hZG1pbiJ9.dWSleE3ko1cEn-ItLhrVRKz8ST9VVcMgonmZfmkDoAKPIqMx02zg_Ahq4aMawOx1v0xQwfz344rnZJTnJxkunMhMXBcaC5c4tYZc2UQPfx7OVkGKrwuw4B2LHolLKsjva_jJNcvvFjSlwS1n2L_5Bo_bFqgwokZlrBFvFiR0OcdlWV3FRbH3tF73X_jVF35olvjT8DNP7uuL-_PTMdB-LwMXZ3o3SsXnBF_duPLA30xQX_uIrodQmfQNkz4ykVI7gBgrPVQ7Cj93XZp5wf-hYd5UdTxsipj4fs6Y0iGeYQNX9kULUtjzCSQS7PUyCqu7RBT7idij6-lJYqDHUSfz1w"
https://192.168.200.202:6443/api/ -cacert /etc/kubernetes/pki/ca.crt -cert /etc/kubernetes/pki/apiserver-kubelet-client.crt -key /etc/kubernetes/pki/apiserver-kubelet-client.key
正常返回
参考
https://www.cnblogs.com/cheyunhua/p/16363033.html
https://www.modb.pro/db/396475
https://blog.csdn.net/qq_35745940/article/details/120693490