问题
I have Kubernetes Cluster setup with a master and worker node. Kubectl cluster-info shows kubernetes-master as well as kube-dns running successfully.
I am trying to access below URL and since it is internal to my organization, below URL is not visible to external world.
https://10.118.3.22:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
But I am getting below error when I access it -
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "services \"kube-dns:dns\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"name": "kube-dns:dns",
"kind": "services"
},
"code": 403
}
Please let me know how to grant full access to anonymous user. I read RBAC mentioned in https://kubernetes.io/docs/reference/access-authn-authz/rbac/ But unable to figure out what exactly I need to do. Thanks
回答1:
You can grant the admin privileges to the anonymous user, but I strongly strongly discourage it. This will give anyone outside the cluster access to the services using the url.
Even after that you decided to grant all the access to the anonymous user you can do it following way:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: anonymous-role
rules:
- apiGroups: [""]
resources: ["services/proxy"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: anonymous-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: anonymous-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:anonymous
This will give anonymous:user to proxy your services, not all resources. If you want that for all resources you need to provide resources: ["*"] in anonymous-role.
Hope this helps
来源:https://stackoverflow.com/questions/54154112/kubernetes-granting-rbac-access-to-anonymous-users-in-kube-dns