RBAC授权

给用户授予RBAC权限

没有权限会报如下错误：

执行查看资源报错： unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)

[[email protected] ~]# kubectl exec -it http-test-dm2-6dbd76c7dd-cv9qf sh
error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)

解决：创建apiserver到kubelet的权限，就是没有给kubernetes用户rbac授权，授权即可，进行如下操作：

注意：user=kubernetes ，这个user要替换掉下面yaml文件里面的用户名

cat > apiserver-to-kubelet.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:kubernetes-to-kubelet
rules:
  - apiGroups:
      - ""
    resources:
      - nodes/proxy
      - nodes/stats
      - nodes/log
      - nodes/spec
      - nodes/metrics
    verbs:
      - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: system:kubernetes
  namespace: ""
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kubernetes-to-kubelet
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: kubernetes
EOF

创建授权:

kubectl create -f apiserver-to-kubelet.yaml 

[[email protected] ~]# kubectl create -f apiserver-to-kubelet.yaml
clusterrole.rbac.authorization.k8s.io/system:kubernetes-to-kubelet created
clusterrolebinding.rbac.authorization.k8s.io/system:kubernetes created

重新进到容器查看资源

[[email protected] ~]# kubectl exec -it http-test-dm2-6dbd76c7dd-cv9qf sh
/ # exit

现在可以进到容器里面查看资源了

参照文档：https://www.jianshu.com/p/b3d8e8b8fd7e

原文地址：https://www.cnblogs.com/effortsing/p/10357276.html