在某些特定的场景下，进入服务器访问Kubectl命令确实不太方便

• 于是乎，本人通过亲自实践搞到了本地客户端通过代理访问k8s命令

踩坑：http代理七层协议访问

• 第一感觉是使用http代理，原因是我看一~/.kube/config是https://******:6443

接下来对nginx进行配置，一顿操作猛如虎。。。

    server {
        listen       80; # 监听80端口
        server_name  k8s.prod.abc.com;  # 指定域名，本地得配置host，因为没有域名解析

        location /api/ {
            set $cmpassport_addr https://192.168.3.2:6443/;  # 实际k8s接口服务地址
            proxy_pass $cmpassport_addr;
        }
    }

配置完成后，当然重启是nginx

nginx -s reload

不错，没有报错。哈哈。。此时此刻心情极佳。。。

接下来当然是配置本地的k8s配置

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFEREFwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXdNakF6TURZMU5Wb1hEVE15TVRFeU9UQXpNRFkxTlZvd0ZURVRNQkVHQTFVRQpBd3dLYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT3VkClFhZ05BTGtTQ2FUbkVnMVU5SDBDNCtqSWJIRHE4S1hod1RieVVUcFYrbjBDTDNST1oyTis0OS8vK2g5TEs1Mm8KVjlXSnVacTFMbjNITk1LZWdRUHdFa3QzejJVT0RhcWsydG5QQ0hGUzI3WVNLZXJ4OWxrTVd0NnVVZ0tTVmNmVQpocGp2SmhYMVpWWTQ0TDgzMmZkUlIxMDg5WkNrNEwwWmJVRDR4WUdHaUdKUjJ2MjVheTAycHR1czl4T0JIZ2UzCklweVRFQmw4eWRtdTJGQkZWcWFhWUJvc3B5cnZ4OE1ZTmM0U1N1RUcySm1JOE8zbXdNWFhFYXVmcCtEaXZ6a1EKdk5HWWFkMmR1MlNRcU1YN1BqLzVrc01BV0V1aEljVndiMU9aR0ZyNFoveGJtRU1sWGNkMWdGYlFQajE2bCsyawpQMHROTGJ6L2xHMTNWOEcxRnhNQ0F3RUFBYU1qTUNFd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBT0JnTlZIUThCCkFmOEVCQU1DQXFRd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFPZGMyRStCTmtCK2wrZHNMdDlQbUs4eVVObUgKMkd5bVRmOVM2R0tVOWoybW5UcmY0aXcvSkFUeTYzbk9ZMC80SUE0NGRIRHpnNThWT1I3OE9Wa3NTNDJYeVYxMwp5VTNncjdVdDJrUzBHbFBTYVcrRHk0VVJoN1NsU3NZZ0hYVStZWjNzWVdkejFYUTY2ZVo3WDdlZGcwbHluZ0xOCjJ6alpFcW1wRHJ3UUpPOHFYMmJPSFU0WnVTVEtEdWJMSjF6dHNUNHdVdCsrd3ZXZEJxbnZ0K0czbit6YkpwVXAKUW14NTZOYnhSb0tzOGFSb2lLWWYwTzdxQ1MyOWIwNHJBbkhwWDR6c0xacGJHR3dVMjFiSWgyR2xBa1l5M1R3KwpxaE00K3p0bG9hMkFZZzg3RStYSmlpcnFQZkIwa2hyNGN1SVh6VEFyTko5MWFCNFg5NFFtZi9PVlIzST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: http://192.168.3.5  # 代理服务器，端口省略，因为是80嘛，你懂的
  name: dev-cluster

contexts:
- context:
    cluster: dev-cluster
    user: dev-user
  name: dev-context

current-context: dev-context
kind: Config
preferences: {}
users:
  user:
    client-certificate-data: 此处保密
    client-key-data: 此处保密

• 配置完成本，测试一下看看

kubectl get pods   ## 结果显示，没有获得资源。。你妈，什么鬼。。感觉想是通的哇。

• 查看nginx日志

# 403异常，像是没有权限的意思。。但看接口地址，/api/api   什么鬼，感觉多加了一层
[14/Mar/2023:09:53:50 +0800] "GET /api/apis?timeout=32s HTTP/1.1" 403 185 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:54:44 +0800] "GET /api/api?timeout=32s HTTP/1.1" 403 188 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:54:44 +0800] "GET /api/apis?timeout=32s HTTP/1.1" 403 188 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:54:44 +0800] "GET /api/api?timeout=32s HTTP/1.1" 403 188 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:54:44 +0800] "GET /api/apis?timeout=32s HTTP/1.1" 403 188 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:54:44 +0800] "GET /api/api?timeout=32s HTTP/1.1" 403 188 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:54:44 +0800] "GET /api/apis?timeout=32s HTTP/1.1" 403 188 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"

• 修改nginx配置，把api这一层去掉，再尝试访问

# NND  还是403   我了去，什么情况
[14/Mar/2023:09:47:14 +0800] "GET /apis?timeout=32s HTTP/1.1" 403 185 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:47:14 +0800] "GET /api?timeout=32s HTTP/1.1" 403 185 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:47:14 +0800] "GET /apis?timeout=32s HTTP/1.1" 403 185 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:47:14 +0800] "GET /api?timeout=32s HTTP/1.1" 403 185 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:47:14 +0800] "GET /apis?timeout=32s HTTP/1.1" 403 185 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"
[14/Mar/2023:09:47:14 +0800] "GET /api?timeout=32s HTTP/1.1" 403 185 "-" "kubectl/v1.25.0 (linux/amd64) kubernetes/a866cbe" "10.19.111.132"

搞了好几个小时, 当然不是简单的这么配置，slb修改等都算在上面

正想着要不要放弃，于是上google再查找一下资源，百度非常不靠谱，怎么也找不到资料。。

哈哈。。尽然真的找到了解决方案

你妈，尽然使用的是4层代理。。

于是，再次一顿操作猛如虎，按图操作

再次google

又找到原因了。哈哈

• k8s的证书服务没有授权我代理的ip，所以就报错了

如何是好！！！！

再查一下资料，还真有解决方案
1. k8s证书重新生成，把代理ip加进去，这很明显比较麻烦
2. 执行命令时，参数加入
--insecure-skip-tls-verify也可以绕过

### 哈哈。。果然可以，终于搞定了
 kubectl get pods --insecure-skip-tls-verify

再次证明，不要轻易放弃。。。没有过不去的坎。。。