gpt4 book ai didi

kubernetes - 为GKE部署,服务等启用REST API

转载 作者:行者123 更新时间:2023-12-02 12:26:48 26 4
gpt4 key购买 nike

我正在尝试使用REST API在GKE上部署应用程序。但是,GKE文档混在一起,并且不清楚如何启用Kubernetes REST API访问。
这里有人对如何在Google Cloud上的Kubernetes集群上创建部署有一个清晰的想法吗?
如果是,我很想知道启用该功能的详细步骤。目前,这就是我得到的。
尽管授权 token 有效,但https://xx.xx.xx.xx/apis/apps/v1/namespaces/default/deployments/nginx-1 GET调用仍提供以下JSON输出

{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "deployments.apps \"nginx-1\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"deployments\" in API group \"apps\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"name": "nginx-1",
"group": "apps",
"kind": "deployments"
},
"code": 403
}
但是,似乎已启用了管理API:
按照 this link上的说明并执行以下命令:
# Check all possible clusters, as your .KUBECONFIG may have multiple contexts:
kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'

# Select name of cluster you want to interact with from above output:
export CLUSTER_NAME="some_server_name"

# Point to the API server referring the cluster name
APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")

# Gets the token value
TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 --decode)

# Explore the API with TOKEN
curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
给出所需的输出。

最佳答案

default命名空间中的服务帐户default没有RBAC可以对get命名空间中的deployment资源执行default动词。
使用下面的rolerolebinding为服务帐户提供必要的权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: deployment-reader
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-deployment
namespace: default
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
name: default # "name" is case sensitive
namespace: default
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: deployment-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
验证权限
kubectl auth can-i get deployments --as=system:serviceaccount:default:default -n default
yes

关于kubernetes - 为GKE部署,服务等启用REST API,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62876878/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com