先说一下背景,生产环境因为有网络隔离,我们一般需要用nginx对k8s api server进行反代,所以就遇到了下面的问题。
闲话少说,直接上报错文本:
|
1 2 3 4 |
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"deployments.apps is forbidden: User \"system:anonymous\" cannot list resource \"deployments\" in API group \"apps\" in the namespace \"xxx\"","reason":"Forbidden","details":{"group":"apps","kind":"deployments"}, "code":403} |
这里有个小插曲,
你的NGINX中的配置不管是用upstream指令还是直接用proxy_pass指令,都要注意把http改成https,不然k8s api server会报下面的错误:
|
1 |
HTTP response body: Client sent an HTTP request to an https server. |
上面的报错在网上一般是直接简单粗暴的给匿名用户加管理员权限,这样子风险太大了,尤其是生产环境不能这样,如下:
|
1 |
kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=dont-do-this --user=system:anonymous |
下面说说我们怎么样简单的通过正规途径解决这个问题:
此内容查看价格为9.9元立即购买
子舒博客