gpt4 book ai didi

kubernetes - 创建 "install/kubernetes/istio-rbac-beta.yaml"时出错

转载 作者:行者123 更新时间:2023-12-02 11:58:49 25 4
gpt4 key购买 nike

我试图在我的环境中部署 Istio 并遇到以下错误。网上所有的解决方案都是关于集群角色绑定(bind)的,我尝试过这样做,但还是失败了。对我的问题有任何意见吗?

kubectl api 版本 | grep rbac

rbac.authorization.k8s.io/v1alpha1
rbac.authorization.k8s.io/v1beta1

sudo kubectl apply -f install/kubernetes/istio-rbac-beta.yaml
rolebinding "istio-pilot-admin-role-binding" configured
rolebinding "istio-ca-role-binding" configured
rolebinding "istio-ingress-admin-role-binding" configured
rolebinding "istio-sidecar-role-binding" configured

Error from server (Forbidden):
error when creating"install/kubernetes/istio-rbac-beta.yaml":
clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden:
attempt to grant extra privileges: [{[*] [istio.io] [istioconfigs] []
[]} {[*] [istio.io] [istioconfigs.istio.io] [] []} {[*] [extensions]
[thirdpartyresources] [] []} {[*] [extensions]
[thirdpartyresources.extensions] [] []} {[*] [extensions] [ingresses]
[] []} {[*] [] [configmaps] [] []} {[*] [] [endpoints] [] []} {[*] []
[pods] [] []} {[*] [] [services] [] []}] user=&{kubeconfig
[system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]

Error from server (Forbidden): error when creating
"install/kubernetes/istio-rbac-beta.yaml":
clusterroles.rbac.authorization.k8s.io "istio-ca" is forbidden:
attempt to grant extra privileges: [{[create] [] [secrets] [] []}
{[get] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[list] []
[secrets] [] []} {[watch] [] [serviceaccounts] [] []} {[list] []
[serviceaccounts] [] []}] user=&{kubeconfig [system:authenticated]
map[]} ownerrules=[] ruleResolutionErrors=[]

Error from server (Forbidden): error when creating
"install/kubernetes/istio-rbac-beta.yaml":
clusterroles.rbac.authorization.k8s.io "istio-sidecar" is forbidden:
attempt to grant extra privileges: [{[get] [istio.io] [istioconfigs] []
[]} {[watch] [istio.io] [istioconfigs] [] []} {[list] [istio.io]
[istioconfigs] [] []} {[get] [extensions] [thirdpartyresources] [] []}
{[watch] [extensions] [thirdpartyresources] [] []} {[list] [extensions]
[thirdpartyresources] [] []} {[update] [extensions]
[thirdpartyresources] [] []} {[get] [extensions] [ingresses] [] []}
{[watch] [extensions] [ingresses] [] []} {[list] [extensions]
[ingresses] [] []} {[update] [extensions] [ingresses] [] []} {[get] []
[configmaps] [] []} {[watch] [] [configmaps] [] []} {[list] []
[configmaps] [] []} {[get] [] [pods] [] []} {[watch] [] [pods] [] []}
{[list] [] [pods] [] []} {[get] [] [endpoints] [] []} {[watch] []
[endpoints] [] []} {[list] [] [endpoints] [] []} {[get] [] [services]
[] []} {[watch] [] [services] [] []} {[list] [] [services] [] []}]
user=&{kubeconfig [system:authenticated] map[]} ownerrules=[]
ruleResolutionErrors=[]

最佳答案

Kubernetes 给您的错误基本上意味着它认为您尝试做的任何事情都是特权升级(这是正确的)并试图阻止这种情况。

The RBAC API prevents users from escalating privileges by editing roles or role bindings. Because this is enforced at the API level, it applies even when the RBAC authorizer is not in use. A user can only create/update a role if they already have all the permissions contained in the role, at the same scope as the role (cluster-wide for a ClusterRole, within the same namespace or cluster-wide for a Role). For example, if “user-1” does not have the ability to list secrets cluster-wide, they cannot create a ClusterRole containing that permission. (taken from here)



这样做的原因是因为应用到您用来访问集群的用户(使用 ClusterRoleBinding)的 ClusterRole 实际上并没有您尝试授予应用程序的所有权限。要解决这个问题,您需要创建一个 ClusterRoleBinding 来为您的用户提供必要的权限。在您的情况下,将您绑定(bind)到为您提供无限权限的集群管理员角色是有意义的。

为此,您可以运行类似的东西:
kubectl create clusterrolebinding --clusterrole cluster-admin --user your-user

关于kubernetes - 创建 "install/kubernetes/istio-rbac-beta.yaml"时出错,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/45619365/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com