我正在尝试为需要持久卷的服务创建RBAC 角色/规则,但它仍然因禁止错误而失败。
这是我的角色配置:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: logdrop-user-full-access
namespace: logdrop
rules:
- apiGroups: ["", "extensions", "apps", "autoscaling"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
这是我缩减的PersistentVolume清单:
apiVersion: v1
kind: PersistentVolume
metadata:
name: logdrop-pv
namespace: logdrop
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
claimRef:
namespace: logdrop
name: logdrop-pvc
hostPath:
path: /efs/logdrop/logdrop-pv
当我尝试应用它时,我收到一个禁止错误。
$ kubectl --kubeconfig ~/logdrop/kubeconfig-logdrop.yml apply -f pv-test.yml
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=persistentvolumes", GroupVersionKind: "/v1, Kind=PersistentVolume"
Name: "logdrop-pv", Namespace: ""
Object: &{map["apiVersion":"v1" "kind":"PersistentVolume" "metadata":map["annotations":map["kubectl.kubernetes.io/last-applied-configuration":""] "name":"logdrop-pv"] "spec":map["accessModes":["ReadWriteMany"] "capacity":map["storage":"10Gi"] "claimRef":map["name":"logdrop-pvc" "namespace":"logdrop"] "hostPath":map["path":"/efs/logdrop/logdrop-pv"] "persistentVolumeReclaimPolicy":"Retain"]]}
from server for: "pv-test.yml": persistentvolumes "logdrop-pv" is forbidden: User "system:serviceaccount:logdrop:logdrop-user" cannot get resource "persistentvolumes" in API group "" at the cluster scope
在最后一行,它特别说明resource "persistentvolumes" in API group ""- 这是我在规则中允许的!
我可以使用来自同一个 yaml 文件的管理员凭据创建 PV,我可以使用logdrop权限创建任何其他资源(pod、服务等)。只是PersistentVolume由于某种原因不起作用。知道为什么吗?
我正在使用 Kubernetes 1.15.0。
更新:
这是我按要求绑定的角色:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: logdrop-user-view
namespace: logdrop
subjects:
- kind: ServiceAccount
name: logdrop-user
namespace: logdrop
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: logdrop-user-full-access
它不是 ClusterRoleBinding,因为我的目的是让用户只能访问一个命名空间 ( logdrop),而不是集群中的所有命名空间。
小智 13
PV、命名空间、节点和存储是集群范围的对象。作为最佳实践,为了能够列出/观察这些对象,您需要创建ClusterRole并通过ClusterRoleBinding将它们绑定到ServiceAccount。举个例子;
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: <name of your cluster role>
rules:
- apiGroups: [""]
resources:
- nodes
- persistentvolumes
- namespaces
verbs: ["list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources:
- storageclasses
verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: <name of your cluster role binding>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: <name of your cluster role which should be matched with the previous one>
subjects:
- kind: ServiceAccount
name: <service account name>
我在这里看到一个潜在的问题。
持久卷是 cluster scoped resources. 它们应该由管理员提供,没有任何命名空间。
然而,PersistentVolumeClaims 可以由特定命名空间内的用户创建,因为它们是 namespaced resources.
这就是为什么当您使用admin凭据时它可以工作但与logdrop会返回错误的原因。
请让我知道这是否有意义。
cod*_*key -2
新角色需要使用RoleBinding授予一个用户或一组用户,例如:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: logdrop-rolebinding
namespace: logdrop
subjects:
- kind: User
name: logdrop-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: logdrop-user-full-access
apiGroup: rbac.authorization.k8s.io
| 归档时间: |
|
| 查看次数: |
7457 次 |
| 最近记录: |