时间戳

首页 > 解决方案 > 尝试从 pod 访问 Kubernetes API 时出现 403 禁止错误

kubernetes - 尝试从 pod 访问 Kubernetes API 时出现 403 禁止错误

问题描述

根据本文档,我正在尝试使用以下命令从 pod 访问 Kuberenetes API

curl --cacert ca.crt -H "Authorization: Bearer $(<token)" https://kubernetes/apis/extensions/v1beta1/namespaces/default/deployments/ballerina-prime/scale

遵循以下模板

curl --cacert ca.crt -H "Authorization: Bearer $(<token)" https://kubernetes/apis/extensions/v1beta1/namespaces/{namespace}/deployments/{name}/scale

它抛出以下错误

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "deployments.extensions \"ballerina-prime\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"deployments/scale\" in API group \"extensions\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "name": "ballerina-prime",
    "group": "extensions",
    "kind": "deployments"
  },
  "code": 403
}

有人可以指出我在哪里犯错或建议我可以访问 Kubernetes API 的任何其他方式吗?

更新01

我根据建议的文档创建了一个角色。以下是我使用的清单。

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: deployments-and-deployements-scale
rules:
- apiGroups: [""]
  resources: ["deployments", "deployments/scale"]
  verbs: ["get", "list"]

我使用此命令应用了它。kubectl apply -f deployments-and-deployements-scale.yaml. 我仍然无法访问所需的端点。我在哪里犯错?

标签: kubernetesgoogle-cloud-platformkubernetes-apiserver

解决方案

正如@Thomas 在他的回答下面的评论中提到的那样,您需要通过RoleBinding资源将特定角色分配给目标服务帐户,以解决此授权问题。

参考您的清单:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: deployments-and-deployements-scale
rules:
- apiGroups: ["extensions", "apps"]
  resources: ["deployments", "deployments/scale"]
  verbs: ["get", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployments-and-deployements-scale-rb
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: Role
  name: deployments-and-deployements-scale
  apiGroup: ""

您可以考虑apiGroups:在角色定义中明确设置、匹配特定的API组或广泛["*"]搜索所有 API 版本。

推荐阅读