Kubernetes Pod 被禁止 : User "user1" cannot list pods in the namespace "stage"

Question

在阿里巴巴容器服务中测试基于角色的访问时，它向我抛出了一个错误 “pod 被禁止:用户“user1”无法列出命名空间“stage”中的 pod”这是 RBAC 问题，我无法弄清楚我在哪里出错

RoleBinding 定义

root@kube-master:# kubectl describe rolebinding stage-role-binding  -n stage
Name:         stage-role-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  staging
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  user2  

角色定义

root@kube-master:# kubectl describe role -n stage
Name:         staging
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources               Non-Resource URLs  Resource Names  Verbs
  ---------               -----------------  --------------  -----
  deployments             []                 []              [get list watch create update patch delete]
  pods                    []                 []              [get list watch create update patch delete]
  replicasets             []                 []              [get list watch create update patch delete]
  deployments.apps        []                 []              [get list watch create update patch delete]
  pods.apps               []                 []              [get list watch create update patch delete]
  replicasets.apps        []                 []              [get list watch create update patch delete]
  deployments.extensions  []                 []              [get list watch create update patch delete]
  pods.extensions         []                 []              [get list watch create update patch delete]
  replicasets.extensions  []                 []              [get list watch create update patch delete]

一个 pod 在 stage 命名空间中运行良好

root@kube-master:# kubectl get pods -n stage 
NAME      READY     STATUS    RESTARTS   AGE
busybox   1/1       Running   0          10m

定义上下文

root@kube-master:# kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
Context "stage" modified.

测试 RBAC

root@kube-master:/home/ansible# kubectl --context=stage get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "user1" cannot list pods in the namespace "stage"

不知道从哪里 用户1

is coming and throwing the RBAC Error

只有 上下文 设置为 用户2

root@kube-master:# kubectl config get-contexts
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   
          stage                         kubernetes   user2              stage

这就是我创建用户 的方式

openssl genrsa -out user2.key 2048
openssl req -new -key user2.key -out user2.csr -subj "/CN=user1/O=8gwifi.org"
openssl x509 -req -in user2.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user2.crt -days 500

kubectl config set-credentials user2 --client-certificate=user2.crt --client-key=user2.key
kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2

Answer 1

RoleBinding 适用于用户 用户2 ，不适用于 用户1 .这就是您收到 RBAC 错误的原因。

为用户 设置上下文用户2 并不意味着 kubernetes 会将这个用户识别为 用户2 .这取决于您使用的凭据。如果使用的凭据属于用户 用户-x ，则 Kubernetes 会将其视为 用户-x . 上下文用户 用于 kubectl 查找用户凭证信息。要了解 Kubernetes 身份验证，请参阅 here .

您在那里使用的凭据解析为用户 用户1 .因此，您应该将 RoleBinding 更新为 用户1 .

更新问题后

证书认证， CN 将是用户名(引用:here)。
在您的证书中 "/CN=user1/O=8gwifi.org" ，所以用户名将是 用户1 不是 用户2 .