【错误解决】kubectl权限不够，报错：User “kubernetes“ cannot create resource “clusterrolebindings“ in API group “rb

错误：

kubectl --server=https://192.168.56.169:6443 create clusterrolebinding kubernetes  --clusterrole=cluster-admin --user=kubernetes 
报错信息：
error: failed to create clusterrolebinding: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "kubernetes" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope


kubectl get csr
报错信息：
Error from server (Forbidden): certificatesigningrequests.certificates.k8s.io is forbidden: User "kubernetes" cannot list resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope


kubectl get cs
报错信息：
Error from server (Forbidden): componentstatuses is forbidden: User "kubernetes" cannot list resource "componentstatuses" in API group "" at the cluster scope

kubectl get node
报错信息：
Error from server (Forbidden): nodes is forbidden: User "kubernetes" cannot list resource "nodes" in API group "" at the cluster scope

总结：就是啥权限都没有

解决

步骤1：创建Admin证书(用于kubectl)

#kubectl证书放在这，由于kubectl相当于系统管理员，我们使用admin命名

#准备admin证书配置 - kubectl只需客户端证书，因此证书请求中 hosts 字段可以为空
cat<<EOF > /root/k8s/certs/admin-csr.json 
{
    "CN":"admin",
    "hosts":[],
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"system:masters",
            "OU":"System"
        }
    ]
}
EOF

#使用根证书(ca.pem)签发admin证书
cfssl gencert -ca=/root/k8s/certs/ca.pem -ca-key=/root/k8s/certs/ca-key.pem -config=/root/k8s/certs/ca-config.json -profile=kubernetes /root/k8s/certs/admin-csr.json | cfssljson -bare /root/k8s/certs/admin

注意：重点在于上面的"O":“system:masters”,

kube-apiserver 预定义了一些 RBAC 使用的 RoleBindings，如 cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定，该 Role 授予了调用kube-apiserver 的所有 API的权限；
O 指定该证书的 Group 为 system:masters，kubelet 使用该证书访问 kube-apiserver 时 ，由于证书被 CA 签名，所以认证通过，同时由于证书用户组为经过预授权的 system:masters，所以被授予访问所有 API 的权限；

kube-apiserver 预定义了一些 RBAC 使用的 RoleBindings，如 cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定，该 Role 授予了调用kube-apiserver 的所有 API的权限；
O 指定该证书的 Group 为 system:masters，kubelet 使用该证书访问 kube-apiserver 时 ，由于证书被 CA 签名，所以认证通过，同时由于证书用户组为经过预授权的 system:masters，所以被授予访问所有 API 的权限；

步骤2：kubectl的kubeconfig文件用生成的admin证书

# 安装kube-apiserver

APISERVER="https://10.124.220.141:6443"


# 给kubectl用
cat<<EOF > /root/k8s/cfg/admin.kubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /root/k8s/certs/ca.pem
    server: ${APISERVER}
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: system:admin
  name: system:admin
current-context: system:admin
kind: Config
preferences: {}
users:
- name: system:admin
  user:
    client-certificate: /root/k8s/certs/admin.pem
    client-key: /root/k8s/certs/admin-key.pem
EOF


cp /root/k8s/cfg/admin.kubeconfig ~/.kube/config

参考

https://jimmysong.io/kubernetes-handbook/practice/create-tls-and-secret-key.html