gpt4 book ai didi

Kubernetes ServiceAccount 无法列出节点

转载 作者:行者123 更新时间:2023-12-02 11:55:30 25 4
gpt4 key购买 nike

我正在尝试授予我的服务帐户 foo 权限以获取集群上的节点列表(通过 kubectl get nodes)。我创建了一个 clusterrole 和一个具有这些权限的角色绑定(bind):

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: foo-cluster-role
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]

当我使用该服务帐户运行 pod 时,我无法运行 kubectl get nodes:

root@debugger:/# kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:default:foo" cannot list resource "nodes" in API group "" at the cluster scope

奇怪的是,当我通过 kubectl auth can-i 询问时,它告诉我我应该有访问权限:

root@debugger:/# kubectl auth can-i get nodes
Warning: resource 'nodes' is not namespace scoped
yes

如何设置我的服务帐户以便我有权列出集群上的节点?

编辑 clusterrolebinding 看起来像这样:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: foo-binding
subjects:
- kind: ServiceAccount
name: foo
roleRef:
kind: ClusterRole
name: foo-cluster-role
apiGroup: ""

最佳答案

您必须创建 ClusterRoleBinding。请检查以下内容。

    apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: foo-cluster-role
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: foo-binding
subjects:
- kind: ServiceAccount
name: foo
roleRef:
kind: ClusterRole
name: foo-cluster-role
apiGroup: rbac.authorization.k8s.io

关于Kubernetes ServiceAccount 无法列出节点,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61552647/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com