mirror of
https://github.com/kelseyhightower/kubernetes-the-hard-way.git
synced 2025-12-16 01:38:58 +03:00
38918b3d5a
I kept getting error as the user is `system:kube-apiserver` and not 'kube-apiserver'. Also, the description says user as kubernetes which should also be rather `system:kube-apiserver`
below is the error I received and corrected the CRB manifest after looking carefully at the User attribute in the error received.
```
~ at ☸️ kubernetes-the-hard-way
➜ kubectl logs weave-net-7bmxs weave -n kube-system
Error from server (Forbidden): Forbidden (user=system:kube-apiserver, verb=get, resource=nodes, subresource=proxy) ( pods/log weave-net-7bmxs)
```
59 lines
2.1 KiB
Markdown
59 lines
2.1 KiB
Markdown
## RBAC for Kubelet Authorization
|
|
|
|
In this section you will configure RBAC permissions to allow the Kubernetes API Server to access the Kubelet API on each worker node. Access to the Kubelet API is required for retrieving metrics, logs, and executing commands in pods.
|
|
|
|
> This tutorial sets the Kubelet `--authorization-mode` flag to `Webhook`. Webhook mode uses the [SubjectAccessReview](https://kubernetes.io/docs/admin/authorization/#checking-api-access) API to determine authorization.
|
|
|
|
|
|
Create the `system:kube-apiserver-to-kubelet` [ClusterRole](https://kubernetes.io/docs/admin/authorization/rbac/#role-and-clusterrole) with permissions to access the Kubelet API and perform most common tasks associated with managing pods:
|
|
|
|
```
|
|
cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRole
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:kube-apiserver-to-kubelet
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- nodes/proxy
|
|
- nodes/stats
|
|
- nodes/log
|
|
- nodes/spec
|
|
- nodes/metrics
|
|
verbs:
|
|
- "*"
|
|
EOF
|
|
```
|
|
Reference: https://v1-12.docs.kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
|
|
|
|
The Kubernetes API Server authenticates to the Kubelet as the `system:kube-apiserver` user using the client certificate as defined by the `--kubelet-client-certificate` flag.
|
|
|
|
Bind the `system:kube-apiserver-to-kubelet` ClusterRole to the `system:kube-apiserver` user:
|
|
|
|
```
|
|
cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
|
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: system:kube-apiserver
|
|
namespace: ""
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:kube-apiserver-to-kubelet
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: system:kube-apiserver
|
|
EOF
|
|
```
|
|
Reference: https://v1-12.docs.kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding
|
|
|
|
Next: [DNS Addon](14-dns-addon.md)
|