013.Kubernetes认证授权
<h2>一 Kubernetes认证系统介绍</h2><h3>1.1 访问控制</h3>
<p>Kubernetes API的每个请求都会经过多阶段的访问控制之后才会被接受,这包括认证、授权以及准入控制(Admission Control)等</p>
<p><img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118165230254-1154400037.png" alt="" width="580" height="252"></p>
<p> </p>
<h3>1.2 认证</h3>
<p>在集群开启TLS后,客户端发往Kubernetes的所有API请求都需要进行认证,以验证用户的合法性。</p>
<p>Kubernetes支持多种认证机制,并支持同时开启多个认证插件(只要有一个认证通过即可)。如果认证成功,则用户的username会被传入授权模块做进一步授权验证;而对于认证失败的请求则返回HTTP 401。</p>
<p>所有的真书位置都在master节点</p>
<p># cd /etc/kubernetes/pki/</p>
<p># ll </p>
<p><img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118180111040-31518270.png" alt="" width="919" height="302"></p>
<p>APIserver是基于一个证书文件/root/.kube/config这个文件包含有</p>
<ul>
<li>apiserver地址</li>
<li>ca证书信息</li>
<li>useracount</li>
<li>useraount证书信息</li>
</ul>
<p># cat /root/.kube/config</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">apiVersion: v1
clusters:
</span>-<span style="color: rgba(0, 0, 0, 1)"> cluster:
certificate</span>-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ERXdPVEU0TVRnME0xb1hEVE13TURFd05qRTRNVGcwTTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTWVBCkhoY3ZBdXFvTDZFOUFCYWdjeFkwT1ZuYXlJVWprY3JtZTBYbU1UcDJ1Nnl1VXhWZzNTVGJQVDlNM1VHSnlSc0YKWG1JK3FrKzg5VnhJcmgzRUE5Y2JNVm1YaE1hVHhGTHZVQVg4WGNwcmkzN0hvTDJ6amlrSUkwcjBLazhOWkUyWQpOTEowWTZNK2JDWDBEdkFiWXNRZmJOZ0VRT2VnMTBZTjd2VUpBeDE3MCtVeWxvdlBPYnVxUDc2dWZNcW80MW4yCkdXdm1FcW1YUVR0MzFnL0haeHhnYUZUUW5VSnR6QTY2VW50RmE1Y2ZpbVNIMVo3K0JyRkNzTmRkMHpCTmlCOUQKR3NlQTVCb2h5U1FVNndESEl3bllENEdIbzJNNmM0V0ZobTMwRUpjdk9UbnI0VFlOZFN0eHRKUjRuOHY1Um5oOApRNmlRQ2FkZC9uWU5qNmpDaUxVQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKME9uN3BaRkZLdGZlNUkvKzZUK0RkRnBwbmcKN0VwQmh0Ui9xVldjUWtjaG1UVksxNTloSEpTaUplSnJnWkFnVElEOGY4dENyMklPOVFQTTdtNjRBMkJMOWNvTgpBYzYrUUJ3Uk9jODNDejBqZHdVVXdudjBCU3ZQKzlWckNIQndpbjdpYi9WYW1MdDA1YTNFcEVFcW1TSDJHQ0xhCnBzVVAzSWFDejJwcm5YVEdJN2lJZUhmN2VLazB3eGt0ZVFaMGF4MXZtK0FMS1NreWZ3dzkxRWJ5MnN6c3VqaUYKbkFzb0RKTk43UEZFcDFWYmhpOGN2SDVaWFcvWHZvOTBqU3BQUUZWZmlqdWd2SlhpMjREa2h1QVJxYnhoaGI0ZAowNlBtTk9xQVgrdDlsTFc2c2QyUVRQTEllUEtKdmtuN1JqdGFiUmVLSE1xUHZLRGludEtlUTNkYjFQOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=<span style="color: rgba(0, 0, 0, 1)">
server: https:</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">192.168.132.131:6443</span>
<span style="color: rgba(0, 0, 0, 1)">name: kubernetes
contexts:
</span>-<span style="color: rgba(0, 0, 0, 1)"> context:
cluster: kubernetes
user: kubernetes</span>-<span style="color: rgba(0, 0, 0, 1)">admin
name: kubernetes</span>-<span style="color: rgba(0, 0, 0, 1)">admin@kubernetes
current</span>-context: kubernetes-<span style="color: rgba(0, 0, 0, 1)">admin@kubernetes
kind: Config
preferences: {}
users:
</span>- name: kubernetes-<span style="color: rgba(0, 0, 0, 1)">admin
user:
client</span>-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJWWhZNzlUWVMzSVF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBeE1Ea3hPREU0TkROYUZ3MHlNVEF4TURneE9ERTRORFphTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXMyeklaaDhyYXd6NzJmcWkKUkd4T1hpN0JaZHdyM1FsdjJ4VkRJYWd4aUN2M1ZQOENWNkphSXZwaEU2bjcrY3ozVk5LR3Z2MnpzYW9VdjVDRwowVXUvVG1HWU9hbnQxeDY1K0tCanVsYjNsaS9aVGJwZDl4UWZNMVAxaFhiQ0QwWGNGL1RnWGRvTlljUzBvWnhZClo5aFVEVWc5emdPM3pGVUVUMVlaQW90MEhBVzRmbXU5eWRUaTkxelJkdVdRR2Ezd3MwOWplT0dXTUFEQ3pnRnIKakFNaFYvLzNmYWd5M2hpdTUxOU5mZlBUZ3Z1VUlOV1NEcTNVbUJmUC9yd3hoelF2WDZrUDlPeUdqMG9xY3JWYQpsUTJQMC9lYldnVnQxVGZvK1JvS1gxVlMwNnNuS1MwUGVORnM4TTlMRmJISTQrczlXcUhTZWFrcVVzVkM2Nk8xCmxRSmNhUUlEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLb0lpNkxQa0wzZjZxYWllVmR6OGE2cndDYWVreTRqQnFyYwovSFdPVkJGL2IyeVJHckJSTlNFd2piR2VCKzJtb3BZK1M3OTlneWRVcUp2RlZYOHNnWllBWFFURllmL0pQdTVmCmtXTS9Qc21Tc3FYQlRGZHhGR0N5RjFjc2VnT1pIQ05xTFNLdk5SN3NhTEsxV25pRzZYUThTTEVKSTY4aHNWaUoKQ2Y3MGxMOUQ3K3lkbzZRVHN0enY4ZmI4aVU1dEhnY0ZyRDdOZzJ2dlpraXdWWjhvWnVTTGw1Q0RIK3E1cmpOdAowSDJ4c1hrMzhTMk9MQkJOUDYrcSt4UVZ1RW5OR1pYdVc3SmRndEFzdVZJRXFpMVdKWGVHM1pLWGpOSE5nRWtvCmFBRWQzVHpqVmR6ZVVZcE1SV3F2TGNSeTNKQVNHT0UyaHdDWVZmWVE3ZStNMWx5M0dDMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=<span style="color: rgba(0, 0, 0, 1)">
client</span>-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBczJ6SVpoOHJhd3o3MmZxaVJHeE9YaTdCWmR3cjNRbHYyeFZESWFneGlDdjNWUDhDClY2SmFJdnBoRTZuNytjejNWTktHdnYyenNhb1V2NUNHMFV1L1RtR1lPYW50MXg2NStLQmp1bGIzbGkvWlRicGQKOXhRZk0xUDFoWGJDRDBYY0YvVGdYZG9OWWNTMG9aeFlaOWhVRFVnOXpnTzN6RlVFVDFZWkFvdDBIQVc0Zm11OQp5ZFRpOTF6UmR1V1FHYTN3czA5amVPR1dNQURDemdGcmpBTWhWLy8zZmFneTNoaXU1MTlOZmZQVGd2dVVJTldTCkRxM1VtQmZQL3J3eGh6UXZYNmtQOU95R2owb3FjclZhbFEyUDAvZWJXZ1Z0MVRmbytSb0tYMVZTMDZzbktTMFAKZU5GczhNOUxGYkhJNCtzOVdxSFNlYWtxVXNWQzY2TzFsUUpjYVFJREFRQUJBb0lCQUZlS1FMQUtqeDE0eFR3UgoyNiswZy92UnBnd3pncmNpVG8rK2JQVno0VTdGM0xOOGc4RUw5aHhRdXFKa2NncnJwTlNlcnAxcW5JeVhKZTVjCjdsb1pNZXBsRldjMDhGVGZxZTZUR25Va3owRlljUlpLVW1RbFRoKzEyL2xVK3RPR3l4NXBIRHJPRTI5YkVLSTAKN0xFbHk4UjdOYVJaRGdqRWhnakxRZ0tLMVlpQnRMeXMyRTZqRXovQVI2RERtK0pCbUlDTjBpbWE0NlJyTngyNQorRmxSMHRzcjR0WTVLcVBJNU9YdjlzbE5TQUgyYmIwU1Z0MG1SaGxRYTFMTTZuOG4yOEZIZVdLR0x4YzNDeW52CjNBbTl1RkRvQlF4QzdhVnR5L2Vpd2daV0pjNzN6ZUtFOE12TDkyRnYzQ1BBWFlEZGRRM1B1dVFHMGFrTFgwWWMKMnlsZHF4MENnWUVBM3BZdmp0TGN2NStiUlgxL1RLZ0NkenFmZmhFeko3clQ3VDVFeFExakN4THI1bWRXaTBuSgp0bXd4c2VhVVdMbi9MamdEaWZxTi9adCtIdzN5Sk9nd1c1ZlB6TGhJU2tqTWxUdm5pZis0RGk1MDJKR3VEUE5WCkVYd2szdUFJS0tURW5tc1NhZlpZN3VLc2FJYzU2bkdkL1UxQ0ZMcHpON3dseEdHRWNldDYzVHNDZ1lFQXpsdnQKeDBGL0Y2ZXh1endiRGpZbHdZYktvWnJJN2lHSThTQ2lLRFdyeEVjZlBsQkt6M05zS2Zvb2tPaW84VXF2QzBaUApFTlZpNGRhbmthUnluRkVjZXErYW1iSko5Y0xWcWlhTkU0OFJLaUlWM2oveWE1bVI3M1NUelBGUkxza3ZKT0RECnVtUmVlb21JNVdUUzI2UjRJZUhzLzNqaTJGNTFlWlJzMWEvQVlxc0NnWUVBbmNjSnFRelJDMGZnc1c1VzZRaUMKenU4UUZUV3Q5RENiZnFUUDdIb2p4YnJBMnM1UGEyWi9oRDdITHhxSjl5Ykl1b05jQnRkREJRek9ac2JrNk1KcApYTk9NcWNuSy9GVUVKNWlSOUtEK1g1Y1FubDhOYUFLb1B6K25oeEI0MkE2TGpOdks3cTkvdEwyYWhuR3NYUUh5CmdwWGNESU5wbm8xUW5CYWY0bnlQMS9jQ2dZQkFRTk42dFdRVFEzM05wTnR2dzJCaUw4d3NJWHZxMmJwQUNqOHoKY2ZLM3ZNVjNxNXgvbDVyWVB6SWVYTE10M21rK2czZmU3L0pJQzRSRmp3UzRzM0RBcXFqaXJtYmxCUE51ZFc1Nwo1cElib2wxWXhHU0JLR0lPUXlnNktmRnpOZVZlQURZeGRVc05zSUZWbTkwajBzUXRHS0dvc2tVL3hibWlUNXJMCnRsdWEzUUtCZ0czM0QvQlE0UENTY3I3bVhNdVp2Q0w3bmpHalVVUEY5eFc3QmEraDMzZ2ZJd1NERmxNNXNaZDQKOXZ0anQwVmdBN1NSTHZ5U3RrSGRkOFJqcDczSU5kYUFZOUh3WkthQTBUd21oSDZqVXRZd0U2SmZrTCt0ZUN5NApySUhPVkY5RzFET2JWU1JyeW5zckNtb1owcGg1YVVGRExhcFU4NGRhdnk4UjJaZVVjZC8rCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==</pre>
</div>
<h3>1.3 证书加密</h3>
<p># cat sa.key |base64 -w 0</p>
<p><img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118180808105-1542102638.png" alt="" width="1116" height="319"></p>
<h3> 1.4 认证文件中的私钥</h3>
<p># cat /root/.kube/config </p>
<p><img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118180933545-1252940938.png" alt="" width="1113" height="250"></p>
<h3>1.5 认证方式流程</h3>
<p>本地端的Apiserver,control managent和Schedule监听的是本地的非安全端口,则不要任何认证,就拥有最大的权限,但是这个端口之只能运行再本地</p>
<p>node的kubelet和Apiserver的认证:apiserver再启动的时候会生成一个token文件,kubelet第一次连接的时候是基于token的,默认的用户是bootstrp-kubelet带着token访问apiserver,apiserver就会签发证书,再kubelet.kubeconfig文件定义</p>
<p>apiserver和kubeproxy的认证:</p>
<p>认证插件</p>
<p>X509证书</p>
<ul>
<li>使用X509客户端证书只需要API Server启动时配置--client-ca-file=SOMEFILE。在证书认证时,其CN域用作用户名,而组织机构域则用作group名。</li>
</ul>
<p>静态Token文件</p>
<ul>
<li>使用静态Token文件认证只需要API Server启动时配置--token-auth-file=SOMEFILE。</li>
<li>该文件为csv格式,每行至少包括三列token,username,user id,token,user,uid,"group1,group2,group3”</li>
</ul>
<p>引导Token</p>
<ul>
<li>引导Token是动态生成的,存储在kube-system namespace的Secret中,用来部署新的Kubernetes集群。</li>
<li>使用引导Token需要API Server启动时配置--experimental-bootstrap-token-auth,并且Controller Manager开启TokenCleaner --controllers=*,tokencleaner,bootstrapsigner。</li>
<li>在使用kubeadm部署Kubernetes时,kubeadm会自动创建默认token,可通过kubeadm token list命令查询。</li>
</ul>
<p>静态密码文件</p>
<ul>
<li>需要API Server启动时配置--basic-auth-file=SOMEFILE,文件格式为csv,每行至少三列password, user, uid,后面是可选的group名,如</li>
<li>password,user,uid,"group1,group2,group3”</li>
</ul>
<p>Service Account</p>
<ul>
<li>ServiceAccount是Kubernetes自动生成的,并会自动挂载到容器的/run/secrets/kubernetes.io/serviceaccount目录中。</li>
</ul>
<p>OpenID</p>
<ul>
<li>OAuth2的认证机制</li>
</ul>
<p>OpenStack Keystone密码</p>
<ul>
<li>需要API Server在启动时指定--experimental-keystone-url=<AuthURL>,而https时还需要设置--experimental-keystone-ca-file=SOMEFILE。</li>
</ul>
<p>匿名请求</p>
<ul>
<li>如果使用AlwaysAllow以外的认证模式,则匿名请求默认开启,但可用--anonymous-auth=false禁止匿名请求。</li>
</ul>
<p>Kubernetes认证帐户</p>
<ol>
<li>USER帐户给管理人员使用,SERVICEACCOUNT是给POD里的进程使用的。</li>
<li>USER帐户是全局性的,Service Account属于某个namespace。</li>
<li>Group用来关联多个帐户,集群中有一些默认创建的组,如cluster-admin</li>
<li>Kubernetes没有User Account API对象,所以无法在集群当中查看USER</li>
</ol>
<p>Service Account</p>
<ol>
<li>Service account是为了方便Pod里面的进程调用Kubernetes API或其他外部服务而设计的。它与User account不同</li>
<li>User account是为人设计的,而service account则是为Pod中的进程调用Kubernetes API而设计;</li>
<li>User account是跨namespace的,而service account则是仅局限它所在的namespace;</li>
<li>每个namespace都会自动创建一个default service account</li>
<li>Token controller检测service account的创建,并为它们创建secret</li>
<li>开启ServiceAccount Admission Controller后</li>
<li>每个Pod在创建后都会自动设置spec.serviceAccountName为default(除非指定了其他ServiceAccout)</li>
<li>验证Pod引用的service account已经存在,否则拒绝创建</li>
<li>如果Pod没有指定ImagePullSecrets,则把service account的ImagePullSecrets加到Pod中</li>
<li>每个container启动后都会挂载该service account的token和ca.crt到/var/run/secrets/kubernetes.io/serviceaccount/</li>
</ol>
<p>默认的认证是基于证书的双向认证,再创建一个K8S集群,会默认创建一系列证书</p>
<h3>1.6 授权</h3>
<p>授权主要是用于对集群资源的访问控制,通过检查请求包含的相关属性值,与相对应的访问策略相比较,API请求必须满足某些策略才能被处理。跟认证类似,Kubernetes也支持多种授权机制,并支持同时开启多个授权插件(只要有一个验证通过即可)。如果授权成功,则用户的请求会发送到准入控制模块做进一步的请求验证;对于授权失败的请求则返回HTTP 403。</p>
<p>授权依据roles</p>
<p># kubectl get clusterroles</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">NAME AGE
admin 8d
cluster</span>-<span style="color: rgba(0, 0, 0, 1)">admin 8d
edit 8d
flannel 8d
kubernetes</span>-<span style="color: rgba(0, 0, 0, 1)">dashboard 8d
system:aggregate</span>-to-<span style="color: rgba(0, 0, 0, 1)">admin 8d
system:aggregate</span>-to-<span style="color: rgba(0, 0, 0, 1)">edit 8d
system:aggregate</span>-to-<span style="color: rgba(0, 0, 0, 1)">view 8d
system:auth</span>-<span style="color: rgba(0, 0, 0, 1)">delegator 8d
system:basic</span>-<span style="color: rgba(0, 0, 0, 1)">user 8d
system:certificates.k8s.io:certificatesigningrequests:nodeclient 8d
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 8d
system:controller:attachdetach</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:certificate</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:clusterrole</span>-aggregation-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:cronjob</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:daemon</span>-set-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:deployment</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:disruption</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:endpoint</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:expand</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:generic</span>-garbage-<span style="color: rgba(0, 0, 0, 1)">collector 8d
system:controller:horizontal</span>-pod-<span style="color: rgba(0, 0, 0, 1)">autoscaler 8d
system:controller:job</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:namespace</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:node</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:persistent</span>-volume-<span style="color: rgba(0, 0, 0, 1)">binder 8d
system:controller:pod</span>-garbage-<span style="color: rgba(0, 0, 0, 1)">collector 8d
system:controller:pv</span>-protection-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:pvc</span>-protection-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:replicaset</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:replication</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:resourcequota</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:route</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:service</span>-account-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:service</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:statefulset</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:controller:ttl</span>-<span style="color: rgba(0, 0, 0, 1)">controller 8d
system:coredns 8d
system:discovery 8d
system:heapster 8d
system:kube</span>-<span style="color: rgba(0, 0, 0, 1)">aggregator 8d
system:kube</span>-controller-<span style="color: rgba(0, 0, 0, 1)">manager 8d
system:kube</span>-<span style="color: rgba(0, 0, 0, 1)">dns 8d
system:kube</span>-<span style="color: rgba(0, 0, 0, 1)">scheduler 8d
system:kubelet</span>-api-<span style="color: rgba(0, 0, 0, 1)">admin 8d
system:node 8d
system:node</span>-<span style="color: rgba(0, 0, 0, 1)">bootstrapper 8d
system:node</span>-problem-<span style="color: rgba(0, 0, 0, 1)">detector 8d
system:node</span>-<span style="color: rgba(0, 0, 0, 1)">proxier 8d
system:persistent</span>-volume-<span style="color: rgba(0, 0, 0, 1)">provisioner 8d
system:public</span>-<span style="color: rgba(0, 0, 255, 1)">info</span>-<span style="color: rgba(0, 0, 0, 1)">viewer 8d
system:volume</span>-<span style="color: rgba(0, 0, 0, 1)">scheduler 8d
view 8d</span></pre>
</div>
<p>以上为内置权限</p>
<p>cluster-admin是超级管理员权限</p>
<p>权限组:</p>
<p>roles:namespce级别</p>
<p>clusterroles:集群级别</p>
<p>授权操作:为某一账户绑定全权限,rolebongding 和clusterroleboding,就会行成新的资源</p>
<p>这种授权方式成为rabc授权</p>
<h2>二 解读一个ingress授权</h2>
<h3>2.1 发布一个系统,都会有一个sa身份运行的</h3>
<p># kubectl get sa</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">NAME SECRETS AGE
default </span><span style="color: rgba(128, 0, 128, 1)">1</span> 8d</pre>
</div>
<p># kubectl get sa default -o yaml</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">2020-01-09T18:19:18Z</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
name: default
namespace: default
resourceVersion: </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">359</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
selfLink: </span>/api/v1/namespaces/default/serviceaccounts/<span style="color: rgba(0, 0, 0, 1)">default
uid: 47332a49</span>-bbac-46b8-9fd7-<span style="color: rgba(0, 0, 0, 1)">18943e710021
secrets:
</span>- name: default-token-bwbrn</pre>
</div>
<h3>2.2 查看ingress账号的SA信息(serviceaccount)</h3>
<p># vi /yamls/ingress/nginx-controller.yaml </p>
<p><img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118181936811-1845867859.png" alt="" width="855" height="218"></p>
<h3> 2.3 rule规则</h3>
<div class="cnblogs_code">
<pre>apiVersion: rbac.authorization.k8s.io/<span style="color: rgba(0, 0, 0, 1)">v1beta1
kind: ClusterRole
metadata:
name: nginx</span>-ingress-<span style="color: rgba(0, 0, 0, 1)">clusterrole
labels:
app.kubernetes.io</span>/name: ingress-<span style="color: rgba(0, 0, 0, 1)">nginx
app.kubernetes.io</span>/part-of: ingress-<span style="color: rgba(0, 0, 0, 1)">nginx
rules:
</span>-<span style="color: rgba(0, 0, 0, 1)"> apiGroups:
</span>- <span style="color: rgba(128, 0, 0, 1)">""</span><span style="color: rgba(0, 0, 0, 1)">
resources:
</span>-<span style="color: rgba(0, 0, 0, 1)"> configmaps
</span>-<span style="color: rgba(0, 0, 0, 1)"> endpoints
</span>-<span style="color: rgba(0, 0, 0, 1)"> nodes
</span>-<span style="color: rgba(0, 0, 0, 1)"> pods
</span>-<span style="color: rgba(0, 0, 0, 1)"> secrets
verbs:
</span>-<span style="color: rgba(0, 0, 0, 1)"> list
</span>-<span style="color: rgba(0, 0, 0, 1)"> watch
</span>-<span style="color: rgba(0, 0, 0, 1)"> apiGroups:
</span>- <span style="color: rgba(128, 0, 0, 1)">""</span><span style="color: rgba(0, 0, 0, 1)">
resources:
</span>-<span style="color: rgba(0, 0, 0, 1)"> nodes
verbs:
</span>-<span style="color: rgba(0, 0, 0, 1)"> get
</span>-<span style="color: rgba(0, 0, 0, 1)"> apiGroups:
</span>- <span style="color: rgba(128, 0, 0, 1)">""</span><span style="color: rgba(0, 0, 0, 1)">
resources:
</span>-<span style="color: rgba(0, 0, 0, 1)"> services
verbs:
</span>-<span style="color: rgba(0, 0, 0, 1)"> get
</span>-<span style="color: rgba(0, 0, 0, 1)"> list
</span>-<span style="color: rgba(0, 0, 0, 1)"> watch
</span>-<span style="color: rgba(0, 0, 0, 1)"> apiGroups:
</span>- <span style="color: rgba(128, 0, 0, 1)">""</span><span style="color: rgba(0, 0, 0, 1)">
resources:
</span>-<span style="color: rgba(0, 0, 0, 1)"> events
verbs:
</span>-<span style="color: rgba(0, 0, 0, 1)"> create
</span>- <span style="color: rgba(0, 0, 255, 1)">patch</span>
-<span style="color: rgba(0, 0, 0, 1)"> apiGroups:
</span>- <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">extensions</span><span style="color: rgba(128, 0, 0, 1)">"</span>
- <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">networking.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
resources:
</span>-<span style="color: rgba(0, 0, 0, 1)"> ingresses
verbs:
</span>-<span style="color: rgba(0, 0, 0, 1)"> get
</span>-<span style="color: rgba(0, 0, 0, 1)"> list
</span>-<span style="color: rgba(0, 0, 0, 1)"> watch
</span>-<span style="color: rgba(0, 0, 0, 1)"> apiGroups:
</span>- <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">extensions</span><span style="color: rgba(128, 0, 0, 1)">"</span>
- <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">networking.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
resources:
</span>- ingresses/<span style="color: rgba(0, 0, 0, 1)">status
verbs:
</span>- update</pre>
</div>
<h3>2.4 绑定权限</h3>
<p><img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118182154382-25906899.png" alt="" width="917" height="598"></p>
<h3>2.5 查看cluter-admin的role</h3>
<p># kubectl get clusterrole -o yaml cluster-admin</p>
<div class="cnblogs_code">
<pre>apiVersion: rbac.authorization.k8s.io/<span style="color: rgba(0, 0, 0, 1)">v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io</span>/autoupdate: <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">true</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
creationTimestamp: </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">2020-01-09T18:18:59Z</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
labels:
kubernetes.io</span>/bootstrapping: rbac-<span style="color: rgba(0, 0, 0, 1)">defaults
name: cluster</span>-<span style="color: rgba(0, 0, 0, 1)">admin
resourceVersion: </span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">45</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
selfLink: </span>/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-<span style="color: rgba(0, 0, 0, 1)">admin
uid: 277dddfd</span>-c72d-<span style="color: rgba(128, 0, 128, 1)">4450</span>-97e1-<span style="color: rgba(0, 0, 0, 1)">244c56ad837a
rules:
</span>-<span style="color: rgba(0, 0, 0, 1)"> apiGroups:
</span>- <span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">*</span><span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(0, 0, 0, 1)">
resources:
</span>- <span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">*</span><span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(0, 0, 0, 1)">
verbs:
</span>- <span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">*</span><span style="color: rgba(128, 0, 0, 1)">'</span>
-<span style="color: rgba(0, 0, 0, 1)"> nonResourceURLs:
</span>- <span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">*</span><span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(0, 0, 0, 1)">
verbs:
</span>- <span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">*</span><span style="color: rgba(128, 0, 0, 1)">'</span></pre>
</div>
<h2>三 创建一个超级管理员账户</h2>
<h3>3.1 创建一个用户</h3>
<p># mkdir /yamls/sa</p>
<p># cd /yamls/sa</p>
<p># vi test-sa.taml</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">apiVersion: v1
kind: ServiceAccount
metadata:
name: test</span>-sa</pre>
</div>
<p># kubectl apply -f test-sa.taml </p>
<div class="cnblogs_code">
<pre>serviceaccount/test-sa created</pre>
</div>
<p># kubectl get sa</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">NAME SECRETS AGE
default </span><span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)"> 8d
test</span>-sa <span style="color: rgba(128, 0, 128, 1)">1</span> 12s</pre>
</div>
<p>让这个sa变成超级管理员</p>
<h3>3.3 和cluster-admin绑定</h3>
<p># vim test-sa-role.yaml</p>
<div class="cnblogs_code">
<pre>apiVersion: rbac.authorization.k8s.io/<span style="color: rgba(0, 0, 0, 1)">v1beta1
kind: ClusterRoleBinding
metadata:
name: test</span>-sa-role-<span style="color: rgba(0, 0, 0, 1)">binding
namespace: ingress</span>-<span style="color: rgba(0, 0, 0, 1)">nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster</span>-<span style="color: rgba(0, 0, 0, 1)">admin
subjects:
</span>-<span style="color: rgba(0, 0, 0, 1)"> kind: ServiceAccount
name: test</span>-sa<br> namespace: default</pre>
</div>
<p># kubectl apply -f test-sa-role.yaml</p>
<div class="cnblogs_code">
<pre>clusterrolebinding.rbac.authorization.k8s.io/test-sa-role-binding created</pre>
</div>
<p># kubectl get clusterrolebinding |grep test</p>
<p><img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118183711036-293868086.png" alt="" width="799" height="43"></p>
<h3>3.3 查看管理员信息</h3>
<p># kubectl describe clusterrolebinding test-sa-role-binding</p>
<div class="cnblogs_code">
<pre>Name: test-sa-role-<span style="color: rgba(0, 0, 0, 1)">binding
Labels: </span><none><span style="color: rgba(0, 0, 0, 1)">
Annotations:kubectl.kubernetes.io</span>/<span style="color: rgba(0, 0, 255, 1)">last</span>-applied-<span style="color: rgba(0, 0, 0, 1)">configuration:
{</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">apiVersion</span><span style="color: rgba(128, 0, 0, 1)">"</span>:<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">rbac.authorization.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span>,<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">kind</span><span style="color: rgba(128, 0, 0, 1)">"</span>:<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">ClusterRoleBinding</span><span style="color: rgba(128, 0, 0, 1)">"</span>,<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">metadata</span><span style="color: rgba(128, 0, 0, 1)">"</span>:{<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">annotations</span><span style="color: rgba(128, 0, 0, 1)">"</span>:{},<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">name</span><span style="color: rgba(128, 0, 0, 1)">"</span>:<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">test-sa-role-binding</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">},...
Role:
Kind:ClusterRole
Name:cluster</span>-<span style="color: rgba(0, 0, 0, 1)">admin
Subjects:
Kind Name Namespace
</span>---- ---- ---------<span style="color: rgba(0, 0, 0, 1)">
ServiceAccounttest</span>-sadefault</pre>
</div>
<p># kubectl describe clusterrole cluster-admin</p>
<div class="cnblogs_code">
<pre>Name: cluster-<span style="color: rgba(0, 0, 0, 1)">admin
Labels: kubernetes.io</span>/bootstrapping=rbac-<span style="color: rgba(0, 0, 0, 1)">defaults
Annotations:rbac.authorization.kubernetes.io</span>/autoupdate: <span style="color: rgba(0, 0, 255, 1)">true</span><span style="color: rgba(0, 0, 0, 1)">
PolicyRule:
ResourcesNon</span>-<span style="color: rgba(0, 0, 0, 1)">Resource URLsResource NamesVerbs
</span>---------------------------------------------
*.* [] [] [*<span style="color: rgba(0, 0, 0, 1)">]
[</span>*] [] [*]</pre>
</div>
<p># kubectl describe sa test-sa</p>
<div class="cnblogs_code">
<pre>Name: test-<span style="color: rgba(0, 0, 0, 1)">sa
Namespace: default
Labels: </span><none><span style="color: rgba(0, 0, 0, 1)">
Annotations: kubectl.kubernetes.io</span>/<span style="color: rgba(0, 0, 255, 1)">last</span>-applied-<span style="color: rgba(0, 0, 0, 1)">configuration:
{</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">apiVersion</span><span style="color: rgba(128, 0, 0, 1)">"</span>:<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">v1</span><span style="color: rgba(128, 0, 0, 1)">"</span>,<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">kind</span><span style="color: rgba(128, 0, 0, 1)">"</span>:<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">ServiceAccount</span><span style="color: rgba(128, 0, 0, 1)">"</span>,<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">metadata</span><span style="color: rgba(128, 0, 0, 1)">"</span>:{<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">annotations</span><span style="color: rgba(128, 0, 0, 1)">"</span>:{},<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">name</span><span style="color: rgba(128, 0, 0, 1)">"</span>:<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">test-sa</span><span style="color: rgba(128, 0, 0, 1)">"</span>,<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">namespace</span><span style="color: rgba(128, 0, 0, 1)">"</span>:<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">default</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">}}
Image pull secrets:</span><none><span style="color: rgba(0, 0, 0, 1)">
Mountable secrets: test</span>-sa-token-<span style="color: rgba(0, 0, 0, 1)">rn7db
Tokens: test</span>-sa-token-<span style="color: rgba(0, 0, 0, 1)">rn7db #有自己的token
Events: </span><none></pre>
</div>
<h3>3.4 查看这个secret的token</h3>
<p># kubectl get secret </p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">NAME TYPE DATA AGE
default</span>-token-bwbrn kubernetes.io/service-account-token <span style="color: rgba(128, 0, 128, 1)">3</span><span style="color: rgba(0, 0, 0, 1)"> 8d
hub</span>-secret kubernetes.io/dockerconfigjson <span style="color: rgba(128, 0, 128, 1)">1</span><span style="color: rgba(0, 0, 0, 1)"> 164m
test</span>-sa-token-rn7db kubernetes.io/service-account-token <span style="color: rgba(128, 0, 128, 1)">3</span> 13m</pre>
</div>
<p># kubectl describe secret test-sa-token-rn7db</p>
<div class="cnblogs_code">
<pre>Name: test-sa-token-<span style="color: rgba(0, 0, 0, 1)">rn7db
Namespace: default
Labels: </span><none><span style="color: rgba(0, 0, 0, 1)">
Annotations:kubernetes.io</span>/service-account.name: test-<span style="color: rgba(0, 0, 0, 1)">sa
kubernetes.io</span>/service-account.uid: 6e767195-c019-43b0-ad6a-<span style="color: rgba(0, 0, 0, 1)">81b35e86b9f7
Type:kubernetes.io</span>/service-account-<span style="color: rgba(0, 0, 0, 1)">token
Data
</span>====<span style="color: rgba(0, 0, 0, 1)">
ca.crt: </span><span style="color: rgba(128, 0, 128, 1)">1025</span><span style="color: rgba(0, 0, 0, 1)"> bytes
namespace:</span><span style="color: rgba(128, 0, 128, 1)">7</span><span style="color: rgba(0, 0, 0, 1)"> bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Inl0U2JtWkVaSkNjbFpCMGpkVktHTGtTUTFvZFc3LVUxeUllRkRyalcxYncifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRlc3Qtc2EtdG9rZW4tcm43ZGIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidGVzdC1zYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjZlNzY3MTk1LWMwMTktNDNiMC1hZDZhLTgxYjM1ZTg2YjlmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnRlc3Qtc2EifQ.RydJTCW3yocxk3_3ThwuWz4zSzymQScvOc7gw1</span>-GsATHfilDK7-CPrEYSkaA90uNFIBfQJovxzpbEtPmge7MAoweCp52Sx8cdA8ppxxgBGpIMC-EiV4unsazxZprrqbGuQ45UCumZYVu70X4UjuPaScf9fHRfJtESDbDEWjeIknhNFcLSw8TCxVpoprC1teF6HflFXG90sR3V_ag2lAXFMeobrnhcTPL5NCxKbwYzsJkiCDIlOsEppCS8d1AZ77pQcTzPLtpe7GtJIhQN-ZBlBrhlEqRCNsEPnG-Ar6eGu5jb5gvOf8NXm_OPnRRyYh8OEHJ_LcdAjq92w2BXmdTYw</pre>
</div>
<h3>3.5 访问dashboard</h3>
<p>可以收用这个token访问dashboard</p>
<p># kubectl get pods -n kubernetes-dashboard -o wide</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
dashboard</span>-metrics-scraper-76585494d8-95j9v <span style="color: rgba(128, 0, 128, 1)">1</span>/<span style="color: rgba(128, 0, 128, 1)">1</span> Running <span style="color: rgba(128, 0, 128, 1)">1</span> 8d <span style="color: rgba(128, 0, 128, 1)">10.244</span>.<span style="color: rgba(128, 0, 128, 1)">2.13</span> <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">132.133</span> <none> <none><span style="color: rgba(0, 0, 0, 1)">
kubernetes</span>-dashboard-b7ffbc8cb-nz5gf <span style="color: rgba(128, 0, 128, 1)">1</span>/<span style="color: rgba(128, 0, 128, 1)">1</span> Running <span style="color: rgba(128, 0, 128, 1)">0</span> 4d20h <span style="color: rgba(128, 0, 128, 1)">10.244</span>.<span style="color: rgba(128, 0, 128, 1)">0.11</span> <span style="color: rgba(128, 0, 128, 1)">192.168</span>.<span style="color: rgba(128, 0, 128, 1)">132.131</span> <none> <none></pre>
</div>
<p># kubectl get svc -n kubernetes-dashboard -o wide</p>
<div class="cnblogs_code">
<pre>NAME TYPE CLUSTER-IP EXTERNAL-<span style="color: rgba(0, 0, 0, 1)">IP PORT(S) AGE SELECTOR
dashboard</span>-metrics-scraper ClusterIP <span style="color: rgba(128, 0, 128, 1)">10.96</span>.<span style="color: rgba(128, 0, 128, 1)">93.119</span> <none> <span style="color: rgba(128, 0, 128, 1)">8000</span>/TCP 8d k8s-app=dashboard-metrics-<span style="color: rgba(0, 0, 0, 1)">scraper
kubernetes</span>-dashboard NodePort <span style="color: rgba(128, 0, 128, 1)">10.96</span>.<span style="color: rgba(128, 0, 128, 1)">87.98</span> <none> <span style="color: rgba(128, 0, 128, 1)">443</span>:<span style="color: rgba(128, 0, 128, 1)">32443</span>/TCP 8d k8s-app=kubernetes-dashboard</pre>
</div>
<p>https://192.168.132.131:32443/</p>
<p><img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118184639693-758444198.png" alt="" width="916" height="248"></p>
<p>高级</p>
<p><img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118184658596-1862613770.png" alt="" width="707" height="211"></p>
<p>接收风险,输入token</p>
<p><img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118184747417-42055629.png" alt="" width="998" height="353"></p>
<p>登入</p>
<p> <img src="https://img2018.cnblogs.com/i-beta/1624149/202001/1624149-20200118184835258-260282125.png" alt="" width="997" height="524"></p>
<p>得到界面</p>
<h3>3.6 使用命令行访问dashboard</h3>
<p>直接访问被拒绝</p>
<p># curl -k https://192.168.132.131:6443</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">{
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">kind</span><span style="color: rgba(128, 0, 0, 1)">"</span>: <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Status</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">apiVersion</span><span style="color: rgba(128, 0, 0, 1)">"</span>: <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">metadata</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">: {
},
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">status</span><span style="color: rgba(128, 0, 0, 1)">"</span>: <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Failure</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">message</span><span style="color: rgba(128, 0, 0, 1)">"</span>: <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">forbidden: User \"system:anonymous\" cannot get path \"/\"</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">reason</span><span style="color: rgba(128, 0, 0, 1)">"</span>: <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Forbidden</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">details</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">: {
},
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">code</span><span style="color: rgba(128, 0, 0, 1)">"</span>: <span style="color: rgba(128, 0, 128, 1)">403</span><span style="color: rgba(0, 0, 0, 1)">
}</span></pre>
</div>
<p>带token访问</p>
<p>[# curl -k --header "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Inl0U2JtWkVaSkNjbFpCMGpkVtHTGtTUTFvZFc3LVUxeUllRkRyalcxYncifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRlc3Qtc2EtdG9rZW4tcm43ZGIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidGVzdC1zYSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjZlNzY3MTk1LWMwMTktNDNiMC1hZDZhLTgxYjM1ZTg2YjlmNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnRlc3Qtc2EifQ.RydJTCW3yocxk3_3ThwuWz4zSzymQScvOc7gw1-GsATHfilDK7-CPrEYSkaA90uNFIBfQJovxzpbEtPmge7MAoweCp52Sx8cdA8ppxxgBGpIMC-EiV4unsazxZprrqbGuQ45UCumZYVu70X4UjuPaScf9fHRfJtESDbDEWjeIknhNFcLSw8TCxVpoprC1teF6HflFXG90sR3V_ag2lAXFMeobrnhcTPL5NCxKbwYzsJkiCDIlOsEppCS8d1AZ77pQcTzPLtpe7GtJIhQN-ZBlBrhlEqRCNsEPnG-Ar6eGu5jb5gvOf8NXm_OPnRRyYh8OEHJ_LcdAjq92w2BXmdTYw" https://192.168.132.131:6443</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">{
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">paths</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">: [
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/api</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/api/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/admissionregistration.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/admissionregistration.k8s.io/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/admissionregistration.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/apiextensions.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/apiextensions.k8s.io/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/apiextensions.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/apiregistration.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/apiregistration.k8s.io/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/apiregistration.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/apps</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/apps/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/authentication.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/authentication.k8s.io/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/authentication.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/authorization.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/authorization.k8s.io/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/authorization.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/autoscaling</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/autoscaling/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/autoscaling/v2beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/autoscaling/v2beta2</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/batch</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/batch/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/batch/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/certificates.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/certificates.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/coordination.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/coordination.k8s.io/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/coordination.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/discovery.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/discovery.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/events.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/events.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/extensions</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/extensions/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/networking.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/networking.k8s.io/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/networking.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/node.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/node.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/policy</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/policy/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/rbac.authorization.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/rbac.authorization.k8s.io/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/rbac.authorization.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/scheduling.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/scheduling.k8s.io/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/scheduling.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/storage.k8s.io</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/storage.k8s.io/v1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/apis/storage.k8s.io/v1beta1</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/autoregister-completion</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/etcd</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/log</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/ping</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/apiservice-openapi-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/apiservice-registration-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/apiservice-status-available-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/bootstrap-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/crd-informer-synced</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/generic-apiserver-start-informers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/kube-apiserver-autoregistration</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/rbac/bootstrap-roles</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/scheduling/bootstrap-system-priority-classes</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/start-apiextensions-controllers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/start-apiextensions-informers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/start-cluster-authentication-info-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/start-kube-aggregator-informers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/healthz/poststarthook/start-kube-apiserver-admission-initializer</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/autoregister-completion</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/etcd</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/log</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/ping</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/apiservice-openapi-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/apiservice-registration-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/apiservice-status-available-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/bootstrap-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/crd-informer-synced</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/generic-apiserver-start-informers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/kube-apiserver-autoregistration</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/rbac/bootstrap-roles</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/scheduling/bootstrap-system-priority-classes</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/start-apiextensions-controllers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/start-apiextensions-informers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/start-cluster-authentication-info-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/start-kube-aggregator-informers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/livez/poststarthook/start-kube-apiserver-admission-initializer</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/logs</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/metrics</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/openapi/v2</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/autoregister-completion</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/etcd</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/log</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/ping</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/apiservice-openapi-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/apiservice-registration-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/apiservice-status-available-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/bootstrap-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/crd-informer-synced</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/generic-apiserver-start-informers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/kube-apiserver-autoregistration</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/rbac/bootstrap-roles</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/scheduling/bootstrap-system-priority-classes</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/start-apiextensions-controllers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/start-apiextensions-informers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/start-cluster-authentication-info-controller</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/start-kube-aggregator-informers</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/poststarthook/start-kube-apiserver-admission-initializer</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/readyz/shutdown</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">,
</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">/version</span><span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(0, 0, 0, 1)">
]
}</span></pre>
</div>
<p>实验完成</p>
<hr>
<p><span style="color: rgba(255, 0, 0, 1)">博主声明:本文的内容来源主要来自誉天教育晏威老师,由本人实验完成操作验证,需要的博友请联系誉天教育(http://www.yutianedu.com/),获得官方同意或者晏老师(<span style="color: rgba(255, 0, 0, 1)">https://www.cnblogs.com/breezey/</span>)本人同意即可转载,谢谢!</span></p>
</div>
<div id="MySignature" role="contentinfo">
<div>作者:梦中泪</div>
<div>出处:http://www.cnblogs.com/zyxnhr/
</div>
<div>关于作者:云计算,linux,虚拟化,存储</div>
<p>---------------------------------------------------------------------------</p>
<p>个性签名:我以为我很颓废,今天我才知道,原来我早报废了。</p>
<p>如果觉得本篇文章最您有帮助,欢迎转载,且在文章页面明显位置给出原文链接!记得在右下角点个<span>“推荐”</span>,博主在此感谢!</p><br><br>
来源:https://www.cnblogs.com/zyxnhr/p/12209894.html
頁:
[1]