无法查询 kubernetes（未经授权）：端点被禁止：用户无法在命名空间中列出端点

Question

我kubernetes 1.9.4在我的gke集群上运行

我有两个 Podgate正在尝试连接coolapp，两者都用elixir

我正在使用libcluster连接我的节点我收到以下错误：

[libcluster:app_name] cannot query kubernetes (unauthorized): endpoints is forbidden: User "system:serviceaccount:staging:default" cannot list endpoints in the namespace "staging": Unknown user "system:serviceaccount:staging:default"

这是我在配置门下config/prod：

 config :libcluster,
 topologies: [
   app_name: [
     strategy: Cluster.Strategy.Kubernetes,
     config: [
       kubernetes_selector: "tier=backend",
       kubernetes_node_basename: System.get_env("MY_POD_NAMESPACE") || "${MY_POD_NAMESPACE}"]]]

这是我的配置：

虚拟机参数

## Name of the node
-name ${MY_POD_NAMESPACE}@${MY_POD_IP}
## Cookie for distributed erlang
-setcookie ${ERLANG_COOKIE}
# Enable SMP automatically based on availability
-smp auto

创造秘密：

kubectl create secret generic erlang-config --namespace staging --from-literal=erlang-cookie=xxxxxx
kubectl create configmap vm-config --namespace staging --from-file=vm.args

门/部署.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: gate
  namespace: staging
spec:
  replicas: 1
  revisionHistoryLimit: 1
  strategy:
      type: RollingUpdate
  template:
    metadata:
      labels:
        app: gate
        tier: backend
    spec:
      securityContext:
        runAsUser: 0
        runAsNonRoot: false
      containers:
      - name: gate
        image: gcr.io/development/gate:0.1.7
        args:
          - foreground
        ports:
        - containerPort: 80
        volumeMounts:
        - name: config-volume
          mountPath: /beamconfig
        env:
        - name: MY_POD_NAMESPACE
          value: staging
        - name: MY_POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: MY_POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: RELEASE_CONFIG_DIR
          value: /beamconfig
        - name: ERLANG_COOKIE
          valueFrom:
            secretKeyRef:
              name: erlang-config
              key: erlang-cookie
      volumes:
      - name: config-volume
        configMap:
          name: vm-config

coolapp/deployment.yaml：

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: coolapp
  namespace: staging
spec:
  replicas: 1
  revisionHistoryLimit: 1
  strategy:
      type: RollingUpdate
  template:
    metadata:
      labels:
        app: coolapp
        tier: backend
    spec:
      securityContext:
        runAsUser: 0
        runAsNonRoot: false
     # volumes
      volumes:
      - name: config-volume
        configMap:
          name: vm-config
      containers:
      - name: coolapp
        image: gcr.io/development/coolapp:1.0.3
        volumeMounts:
        - name: secrets-volume
          mountPath: /secrets
          readOnly: true
        - name: config-volume
          mountPath: /beamconfig
        ports:
        - containerPort: 80
        args:
          - "foreground"
        env:
        - name: MY_POD_NAMESPACE
          value: staging
        - name: MY_POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: MY_POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: REPLACE_OS_VARS
          value: "true"
        - name: RELEASE_CONFIG_DIR
          value: /beamconfig
        - name: ERLANG_COOKIE
          valueFrom:
            secretKeyRef:
              name: erlang-config
              key: erlang-cookie
        # proxy_container
      - name: cloudsql-proxy
        image: gcr.io/cloudsql-docker/gce-proxy:1.11
        command: ["/cloud_sql_proxy", "--dir=/cloudsql",
            "-instances=staging:us-central1:com-staging=tcp:5432",
            "-credential_file=/secrets/cloudsql/credentials.json"]
        volumeMounts:
          - name: cloudsql-instance-credentials
            mountPath: /secrets/cloudsql
            readOnly: true
          - name: cloudsql
            mountPath: /cloudsql

Answer 1

默认的服务帐户的staging命名空间（其中使用libcluster显然你荚正在运行）缺乏RBAC权限来获取端点在该命名空间。

您的应用程序可能需要许多其他权限（上述错误消息中未提及）才能正常工作；识别所有此类权限超出了 SO 的范围。

解决此问题的一种方法是授予该服务帐户的超级用户权限。这不是一个安全的解决方案，而是一个止损修复。

$ kubectl create clusterrolebinding make-staging-sa-cluster-admin \
    --serviceaccount=staging:default \
    --clusterrole=cluster-admin

clusterrolebinding "make-staging-sa-cluster-admin" created

要仅授予特定权限（在暂存命名空间中获取端点），您需要先创建一个角色：

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: some-permissions
  namespace: staging
rules:
- apiGroups: [""]
  resources: ["endpoints"]
  verbs: ["get", "list", "watch"]

并为暂存命名空间中的默认服务帐户创建一个RoleBinding：

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: give-default-sa-some-permissions
  namespace: staging
subjects:
- kind: ServiceAccount
  name: default
  namespace: staging
roleRef:
  kind: Role
  name: some-permissions
  apiGroup: rbac.authorization.k8s.io