kubectl - 来自服务器的错误（禁止）：用户“xxx@xxx.it”被禁止：用户“system:serviceaccount:gke-connect:connect-agent-sa”答案

【问题标题】：kubectl - Error from server (Forbidden): users "xxx@xxx.it" is forbidden: User "system:serviceaccount:gke-connect:connect-agent-sa"kubectl - 来自服务器的错误（禁止）：用户“xxx@xxx.it”被禁止：用户“system:serviceaccount:gke-connect:connect-agent-sa”
【发布时间】：2021-08-04 09:51:55
【问题描述】：

我有这种奇怪的情况，我该如何解决这个问题？

ubuntu@anth-mgt-wksadmin:~$ kubectl get nodes
error: the server doesn't have a resource type "nodes"

ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
error: the server doesn't have a resource type "services"

ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info dump
Error from server (Forbidden): users "xxx@xxx.it" is forbidden: User system:serviceaccount:gke-connect:connect-agent-sa" cannot impersonate resource "users" in API group "" at the cluster scope

我认为问题是由以下应用产生的

USER_ACCOUNT=foo@example.com
cat <<EOF > /tmp/impersonate.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gateway-impersonate
rules:
- apiGroups:
  - ""
  resourceNames:
  - ${USER_ACCOUNT}
  resources:
  - users
  verbs:
 - impersonate
 - --
 - apiVersion: rbac.authorization.k8s.io/v1
 - kind: ClusterRoleBinding
metadata:
  name: gateway-impersonate
roleRef:
  kind: ClusterRole
  name: gateway-impersonate
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: connect-agent-sa
  namespace: gke-connect
EOF
# Apply impersonation policy to the cluster.
kubectl apply -f /tmp/impersonate.yaml

【问题讨论】：

你好@andreaciuffoli。您能否分享有关您想申请的假冒的更多详细信息？

标签： kubernetes kubectl google-anthos

【解决方案1】：

我已将 admin.conf 文件从一个管理员集群节点复制到管理员工作站并重命名为 kubeconfig

root@anth-admin-host1:~# cat /etc/kubernetes/admin.conf apiVersion: v1 clusters:

【讨论】：