kubernetes api：禁止失败 403 pod：用户“system:serviceaccount:default:journalbeat”无法列出 API 组“”中的资源“pod”

Question

不知道这里出了什么问题，因为我已经授予了正确的权限，但仍然出现禁止错误。

我正在为 ClusterRole、ClusterRoleBinding 和 ServiceAccount 使用以下 yaml。

集群角色

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: journalbeat
rules:
  - apiGroups:
      - extensions
    resourceNames:
      - journalbeat
    resources:
      - podsecuritypolicies
    verbs:
      - use
  - apiGroups:
      - ""
    resources:
      - namespaces
      - pods
    verbs:
      - get
      - watch
      - list

角色绑定.yaml

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: journalbeat
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: journalbeat
subjects:
  - kind: ServiceAccount
    name: journalbeat
    namespace: journalbeat

服务帐号

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: journalbeat

• Journalbeat pod 的错误日志

$ kubectl logs -f journalbeat-4thzj                
2020-06-24T06:30:34.947Z        INFO    instance/beat.go:606    Home path: [/usr/share/journalbeat] Config path: [/usr/share/journalbeat] Data path: [/usr/share/journalbeat/data] Logs path: [/usr/share/journalbeat/logs]
2020-06-24T06:30:34.952Z        INFO    instance/beat.go:614    Beat ID: dd2ed096-8ad0-4e7d-86f8-340acfcddd1d
2020-06-24T06:30:34.953Z        INFO    kubernetes/util.go:71   kubernetes: Using node ip-172-28-20-76 provided in the config
2020-06-24T06:30:34.953Z        INFO    kubernetes/watcher.go:182       kubernetes: Performing a resource sync for *v1.PodList
2020-06-24T06:30:34.961Z        ERROR   kubernetes/watcher.go:185       kubernetes: Performing a resource sync err kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:default:journalbeat" cannot list resource "pods" in API group "" at the cluster scope for *v1.PodList
2020-06-24T06:30:34.961Z        INFO    instance/beat.go:366    journalbeat stopped.
2020-06-24T06:30:34.961Z        ERROR   instance/beat.go:877    Exiting: error initializing processors: kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:default:journalbeat" cannot list resource "pods" in API group "" at the cluster scope
Exiting: error initializing processors: kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:default:journalbeat" cannot list resource "pods" in API group "" at the cluster scope

还

$ kubectl auth can-i get pods --as system:serviceaccount:default:journalbeat
no

Answer 1

您的 ServiceAccount 位于默认命名空间中，因此请修改ClusterRoleBinding，如下所示，

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: journalbeat
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: journalbeat
subjects:
  - kind: ServiceAccount
    name: journalbeat
    namespace: default # as your ServiceAccount is in default namespace