RBAC授权

Posted effortsing

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了RBAC授权相关的知识,希望对你有一定的参考价值。

给用户授予RBAC权限

没有权限会报如下错误:

执行查看资源报错: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy) [[email protected] ~]# kubectl exec -it http-test-dm2-6dbd76c7dd-cv9qf sh error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy) 解决:创建apiserver到kubelet的权限,就是没有给kubernetes用户rbac授权,授权即可,进行如下操作: 注意:user=kubernetes ,这个user要替换掉下面yaml文件里面的用户名 cat > apiserver-to-kubelet.yaml <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:kubernetes-to-kubelet rules: - apiGroups: - "" resources: - nodes/proxy - nodes/stats - nodes/log - nodes/spec - nodes/metrics verbs: - "*" --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system:kubernetes namespace: "" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:kubernetes-to-kubelet subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kubernetes EOF 创建授权: kubectl create -f apiserver-to-kubelet.yaml [[email protected] ~]# kubectl create -f apiserver-to-kubelet.yaml clusterrole.rbac.authorization.k8s.io/system:kubernetes-to-kubelet created clusterrolebinding.rbac.authorization.k8s.io/system:kubernetes created 重新进到容器查看资源 [[email protected] ~]# kubectl exec -it http-test-dm2-6dbd76c7dd-cv9qf sh / # exit 现在可以进到容器里面查看资源了 参照文档:https://www.jianshu.com/p/b3d8e8b8fd7e

 





以上是关于RBAC授权的主要内容,如果未能解决你的问题,请参考以下文章

Istio数据面配置解析18:使用RBAC对Http请求进行授权

Istio数据面配置解析19:使用RBAC对Tcp连接进行授权(1.1)

权限管理(RBAC)

云原生 | 从零开始学Kubernetes二十八完结篇—rbac授权深入讲解

RBAC授权

RBAC用户特别授权的思考