个人中心
gpt4 book ai didi

kubernetes - 服务帐户角色绑定(bind)不适用于 API 访问

转载 作者:行者123 更新时间:2023-12-02 12:20:39 25 4
gpt4 key购买 nike

我正在开发与 Kubernetes 交互的工具。我使用允许所有身份验证提供程序进行 OpenShift 设置。我可以按预期登录 Web 控制台。

我还能够设置服务帐户并将集群角色绑定(bind)分配给服务帐户用户。尽管如此,当我使用该服务帐户的 token 访问 REST API 时,我被禁止了。

以下是我尝试通过 OpenShift 命令设置角色绑定(bind)时发生的情况:

[root@host1 ~]# oadm policy add-cluster-role-to-user view em7 --namespace=default
[root@host1 ~]# oadm policy add-cluster-role-to-user cluster-admin em7 --namespace=default
[root@host1 ~]# oadm policy add-cluster-role-to-user cluster-reader em7 --namespace=default


[root@host1 ~]# oc get secrets | grep em7
em7-dockercfg-hnl6m         kubernetes.io/dockercfg               1         18h
em7-token-g9ujh             kubernetes.io/service-account-token   4         18h
em7-token-rgsbz             kubernetes.io/service-account-token   4         18h


TOKEN=`oc describe secret em7-token-g9ujh | grep token: | awk '{ print $2 }'`


[root@host1 ~]# curl -kD - -H "Authorization: Bearer $TOKEN" https://localhost:8443/api/v1/pods
HTTP/1.1 403 Forbidden
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 19 Jun 2018 15:36:40 GMT
Content-Length: 260

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "User \"system:serviceaccount:default:em7\" cannot list all pods in the cluster",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}

我也可以尝试使用 ( Openshift Admin Token) 中的 yaml 文件:
# 创建服务帐户“ns-reader”
api版本:v1
种类:服务账户
元数据:
名称:ns-reader
命名空间:默认 
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: global-reader
rules:
- apiGroups: [""]
  # add other rescources you wish to read
  resources: ["pods", "secrets"]
  verbs: ["get", "watch", "list"]

---
# This cluster role binding allows service account "ns-reader" to read pods in all available namespace
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-ns
subjects:
- kind: ServiceAccount
  name: ns-reader
  namespace: default
roleRef:
  kind: ClusterRole
  name: global-reader
  apiGroup: rbac.authorization.k8s.io

当我运行它时,我收到以下错误: 
[root@host1 ~]# kubectl create -f stack_overflow_49667238.yaml
error validating "stack_overflow_49667238.yaml": error validating data: API version "rbac.authorization.k8s.io/v1" isn't supported, only supports API versions ["federation/v1beta1" "v1" "authentication.k8s.io/v1beta1" "componentconfig/v1alpha1" "policy/v1alpha1" "rbac.authorization.k8s.io/v1alpha1" "apps/v1alpha1" "authorization.k8s.io/v1beta1" "autoscaling/v1" "extensions/v1beta1" "batch/v1" "batch/v2alpha1"]; if you choose to ignore these errors, turn validation off with --validate=false

我从列表中尝试了几个不同的 API 版本,但它们都以类似的方式失败。

最佳答案

oadm policy add-cluster-role-to-user view em7授予名为 em7 的用户

您需要授予服务帐户权限,例如oadm policy add-cluster-role-to-user view system:serviceaccount:default:em7

关于kubernetes - 服务帐户角色绑定(bind)不适用于 API 访问,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50932289/

25 4 0
文章推荐: azure - 无法拉取镜像 myapidemodocker.azurecr.io/apidemo :v4. 0:rpc 错误:代码 = 未知 desc = 未知 blob
文章推荐: kubernetes - 如何从文件动态创建Configmap
文章推荐: kubernetes - ManageIQ 未显示 Kubernetes 容器提供程序的信息,并且缺少集群读取器 ClusterRole
文章推荐: tensorflow - Kubernetes和GPU节点集群实现实践
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com