kubectl和api之间的连接很好，并且已被正确授权.

The connection between kubectl and the api is fine, and is being authorized correctly.

为满足exec请求，apiserver与运行pod的kubelet联系，并且该连接已被禁止.

To satisfy an exec request, the apiserver contacts the kubelet running the pod, and that connection is what is being forbidden.

您的kubelet已配置为对请求进行身份验证/授权，并且apiserver未提供该kubelet可以识别的身份验证信息.

Your kubelet is configured to authenticate/authorize requests, and the apiserver is not providing authentication information recognized by the kubelet.

apiserver对kubelet进行身份验证的方式是使用客户端证书和密钥，并通过提供给API服务器的--kubelet-client-certificate=... --kubelet-client-key=...标志进行配置.

The way the apiserver authenticates to the kubelet is with a client certificate and key, configured with the --kubelet-client-certificate=... --kubelet-client-key=... flags provided to the API server.

请参见 https://kubernetes.io/docs/admin/kubelet-身份验证授权/#overview 以获得更多信息.

See https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#overview for more information.