Authorization
問題
$ kubectl get pod --server https://{{cluster_endpoint}} --client-certificate=client.pem --client-key=key.rsa --certificate-authority=ca.pem
を実行して、以下のエラーが出ました。
Error from server (Forbidden): pods is forbidden: User "client" cannot list pods in the namespace "default": Unknown user "client"
原因
This is because, for GKE clusters, by default Legacy Authorization is disabled. So, we need to create role-based access to grant permissions to user. So, we grant current user the ability to create authorization roles.
解決方法
- 下記のコマンドでクラスターの認証を通す
$ gcloud container clusters get-credentials {{clustername}} --project {{projectname}} --zone {{zone}}
- clusterrolebinding作成
- rbak.yml ファイル作成、コマンド
kubectl apply -f rbak.ymlを実行する
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: client-admin-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
subjects:
- kind: User
name: client
apiGroup: ""