Mug*_*gen 7 rbac kubernetes kubectl
我的自定义命名空间中有以下定义:
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-sa
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["get", "list", "delete", "patch", "create"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "deployments/scale"]
verbs: ["get", "list", "delete", "patch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: test
subjects:
- kind: User
name: test-sa
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: test
apiGroup: rbac.authorization.k8s.io
跑步describe role test
Name: test
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"test","namespace":"test-namesapce...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods/exec [] [] [get list delete patch create]
pods [] [] [get list delete patch create]
deployments.apps/scale [] [] [get list delete patch create]
deployments.apps [] [] [get list delete patch create]
deployments.extensions/scale [] [] [get list delete patch create]
deployments.extensions [] [] [get list delete patch create]
当我尝试kubectl get pods在使用此服务帐户的 Pod 中运行命令时,出现以下错误:
服务器错误(禁止):pod 被禁止:用户“system:serviceaccount:test-namespace:test-sa”无法列出名称空间“test-namespace”中 API 组“”中的资源“pod”
哪里配置错了?
问题出subjects在RoleBinding. 正确的定义是:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: test
subjects:
- kind: ServiceAccount
name: test-sa
roleRef:
kind: Role
name: test
apiGroup: rbac.authorization.k8s.io
| 归档时间: |
|
| 查看次数: |
36442 次 |
| 最近记录: |