我正在尝试授予我的服务帐户foo权限以获取集群上的节点列表(通过kubectl get nodes)。我创建了一个 clusterrole 和一个具有以下权限的角色绑定:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: foo-cluster-role
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
当我使用该服务帐户运行 pod 时,我无法运行kubectl get nodes:
root@debugger:/# kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:default:foo" cannot list resource "nodes" in API group "" at the cluster scope
奇怪的是,当我询问 via 时kubectl auth can-i,它告诉我我应该有权访问:
root@debugger:/# kubectl auth can-i get nodes
Warning: resource 'nodes' is not namespace scoped
yes
如何设置我的服务帐户以便有权列出集群上的节点?
编辑ClusterRoleBinding 如下所示:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: foo-binding
subjects:
- kind: ServiceAccount
name: foo
roleRef:
kind: ClusterRole
name: foo-cluster-role
apiGroup: ""
hoq*_*que 11
你必须创建ClusterRoleBinding. 请检查以下内容。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: foo-cluster-role
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: foo-binding
subjects:
- kind: ServiceAccount
name: foo
namespace: default
roleRef:
kind: ClusterRole
name: foo-cluster-role
apiGroup: rbac.authorization.k8s.io
| 归档时间: |
|
| 查看次数: |
4975 次 |
| 最近记录: |