gpt4 book ai didi

kubernetes - 禁止 : user cannot get path "/" (not anonymous user)

转载 作者:行者123 更新时间:2023-12-04 02:23:40 26 4
gpt4 key购买 nike

访问 k8s api 端点 (FQDN:6443) 时,成功检索将返回一个包含 REST 端点路径的 JSON 对象。我有一个用户在集群上被授予集群管理员权限,他能够成功地与该端点交互。

我为另一个用户创建了一个证书,并在我的集群中授予了他们一部分权限。我试图纠正的错误:他们无法访问 FQDN:6443,而是得到一个 403 并显示“用户无法获取路径/”的消息。无论我指定为 FQDN:6443/还是 FQDN:6443(没有尾部斜杠),我都会得到相同的行为。我检查了授予集群管理员角色用户的权限,但没有发现差距。

其他行为:他们可以访问我没有明确授予他们的 FQDN:6443/api,以及我明确授予的各种端点。我相信他们是通过 system:discovery 角色授予 system:authenticated 组的 api 端点。此外,如果我尝试在没有证书的情况下与集群交互,我会被正确识别为匿名用户。如果我使用用户名与我的角色绑定(bind)不匹配的证书与集群交互,我将获得除 FQDN:6443 端点之外的所有端点的预期行为。

最佳答案

我有一个类似的问题。我试图 curl 基本网址:https://api_server_ip:6443带有正确的证书。

我收到了这个错误:

    {
"kind": "Status",
"apiVersion": "v1",
"metadata": {

},
"status": "Failure",
"message": "forbidden: User \"kubernetes\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {

},
"code": 403
}

似乎 system:discovery 没有授予对基本 url 的访问权限: https://api_server_ip:6443/ . system:discovery 角色只允许访问以下路径:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:discovery
rules:
- nonResourceURLs:
- /api
- /api/*
- /apis
- /apis/*
- /healthz
- /openapi
- /openapi/*
- /swagger-2.0.0.pb-v1
- /swagger.json
- /swaggerapi
- /swaggerapi/*
- /version
- /version/
verbs:
- get

无权访问/授予。因此,我创建了以下 ClusterRole,我将其称为 discover_base_url。它授予对/路径的访问权限:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: discover_base_url
rules:
- nonResourceURLs:
- /
verbs:
- get

然后我创建了一个 ClusterRoleBinding,将禁止用户“kubernetes”(可以是任何用户)绑定(bind)到上述集群角色。以下是 ClusterRoleBinding 的 yaml(将“kubernetes”替换为您的用户):
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: discover-base-url
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: discover_base_url
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubernetes

创建这两个资源后,curl 请求就起作用了:
curl --cacert ca.pem --cert kubernetes.pem --key kubernetes-key.pem https://api_server_ip:6443
{
"paths": [
"/api",
"/api/v1",
"/apis",
"/apis/",
"/apis/admissionregistration.k8s.io",
"/apis/admissionregistration.k8s.io/v1beta1",
"/apis/apiextensions.k8s.io",
"/apis/apiextensions.k8s.io/v1beta1",
"/apis/apiregistration.k8s.io",
"/apis/apiregistration.k8s.io/v1",
"/apis/apiregistration.k8s.io/v1beta1",
"/apis/apps",
"/apis/apps/v1",
"/apis/apps/v1beta1",
"/apis/apps/v1beta2",
"/apis/authentication.k8s.io",
"/apis/authentication.k8s.io/v1",
"/apis/authentication.k8s.io/v1beta1",
"/apis/authorization.k8s.io",
"/apis/authorization.k8s.io/v1",
"/apis/authorization.k8s.io/v1beta1",
"/apis/autoscaling",
"/apis/autoscaling/v1",
"/apis/autoscaling/v2beta1",
"/apis/autoscaling/v2beta2",
"/apis/batch",
"/apis/batch/v1",
"/apis/batch/v1beta1",
"/apis/certificates.k8s.io",
"/apis/certificates.k8s.io/v1beta1",
"/apis/coordination.k8s.io",
"/apis/coordination.k8s.io/v1beta1",
"/apis/events.k8s.io",
"/apis/events.k8s.io/v1beta1",
"/apis/extensions",
"/apis/extensions/v1beta1",
"/apis/networking.k8s.io",
"/apis/networking.k8s.io/v1",
"/apis/policy",
"/apis/policy/v1beta1",
"/apis/rbac.authorization.k8s.io",
"/apis/rbac.authorization.k8s.io/v1",
"/apis/rbac.authorization.k8s.io/v1beta1",
"/apis/scheduling.k8s.io",
"/apis/scheduling.k8s.io/v1beta1",
"/apis/storage.k8s.io",
"/apis/storage.k8s.io/v1",
"/apis/storage.k8s.io/v1beta1",
"/healthz",
"/healthz/autoregister-completion",
"/healthz/etcd",
"/healthz/log",
"/healthz/ping",
"/healthz/poststarthook/apiservice-openapi-controller",
"/healthz/poststarthook/apiservice-registration-controller",
"/healthz/poststarthook/apiservice-status-available-controller",
"/healthz/poststarthook/bootstrap-controller",
"/healthz/poststarthook/ca-registration",
"/healthz/poststarthook/generic-apiserver-start-informers",
"/healthz/poststarthook/kube-apiserver-autoregistration",
"/healthz/poststarthook/rbac/bootstrap-roles",
"/healthz/poststarthook/scheduling/bootstrap-system-priority-classes",
"/healthz/poststarthook/start-apiextensions-controllers",
"/healthz/poststarthook/start-apiextensions-informers",
"/healthz/poststarthook/start-kube-aggregator-informers",
"/healthz/poststarthook/start-kube-apiserver-admission-initializer",
"/healthz/poststarthook/start-kube-apiserver-informers",
"/logs",
"/metrics",
"/openapi/v2",
"/swagger-2.0.0.json",
"/swagger-2.0.0.pb-v1",
"/swagger-2.0.0.pb-v1.gz",
"/swagger-ui/",
"/swagger.json",
"/swaggerapi",
"/version"
]
}

关于kubernetes - 禁止 : user cannot get path "/" (not anonymous user),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54656963/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com