那些遇到过的问题

集群范围内 API 组中的禁止资源

Ben*_*der 22 kubernetes prometheus minikube

我无法确定我的设置的权限到底存在什么问题,如下所示。我已经研究了所有类似的质量检查,但仍然无法解决问题。目的是部署 Prometheus 并让它抓取 /metrics集群中其他应用程序正常暴露的端点。

\n
Failed to watch *v1.Endpoints: failed to list *v1.Endpoints: endpoints is forbidden: User \\"system:serviceaccount:default:default\\" cannot list resource \\"endpoints\\" in API group \\"\\" at the cluster scope"\nFailed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User \\"system:serviceaccount:default:default\\" cannot list resource \\"pods\\" in API group \\"\\" at the cluster scope"\nFailed to watch *v1.Service: failed to list *v1.Service: services is forbidden: User \\"system:serviceaccount:default:default\\" cannot list resource \\"services\\" in API group \\"\\" at the cluster scope"\n...\n...\n
Run Code Online (Sandbox Code Playgroud)\n

下面的命令返回no所有服务、节点、pod 等。

\n
kubectl auth can-i get services --as=system:serviceaccount:default:default -n default\n
Run Code Online (Sandbox Code Playgroud)\n

迷你库贝

\n
$ minikube start --vm-driver=virtualbox --extra-config=apiserver.Authorization.Mode=RBAC\n\n  minikube v1.14.2 on Darwin 11.2\n\xe2\x9c\xa8  Using the virtualbox driver based on existing profile\n  Starting control plane node minikube in cluster minikube\n  Restarting existing virtualbox VM for "minikube" ...\n  Preparing Kubernetes v1.19.2 on Docker 19.03.12 ...\n    \xe2\x96\xaa apiserver.Authorization.Mode=RBAC\n  Verifying Kubernetes components...\n  Enabled addons: storage-provisioner, default-storageclass, dashboard\n  Done! kubectl is now configured to use "minikube" by default\n
Run Code Online (Sandbox Code Playgroud)\n

角色

\n
apiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\n\nmetadata:\n  name: monitoring-cluster-role\n\nrules:\n  - apiGroups: [""]\n    resources: ["nodes", "services", "pods", "endpoints"]\n    verbs: ["get", "list", "watch"]\n  - apiGroups: [""]\n    resources: ["configmaps"]\n    verbs: ["get"]\n  - apiGroups: ["extensions"]\n    resources: ["deployments"]\n    verbs: ["get", "list", "watch"]\n
Run Code Online (Sandbox Code Playgroud)\n
apiVersion: v1\nkind: ServiceAccount\n\nmetadata:\n  name: monitoring-service-account\n  namespace: default\n
Run Code Online (Sandbox Code Playgroud)\n
apiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\n\nmetadata:\n  name: monitoring-cluster-role-binding\n\nroleRef:\n  kind: ClusterRole\n  name: monitoring-cluster-role\n  apiGroup: rbac.authorization.k8s.io\n\nsubjects:\n  - kind: ServiceAccount\n    name: monitoring-service-account\n    namespace: default\n
Run Code Online (Sandbox Code Playgroud)\n

普罗米修斯

\n
apiVersion: v1\nkind: ConfigMap\n \nmetadata:\n  name: prometheus-config-map\n  namespace: default\n \ndata:\n  prometheus.yml: |\n    global:\n      scrape_interval: 15s\n    scrape_configs:\n      - job_name: \'kubernetes-service-endpoints\'\n        kubernetes_sd_configs:\n        - role: endpoints\n        relabel_configs:\n        - action: labelmap\n          regex: __meta_kubernetes_service_label_(.+)\n        - source_labels: [__meta_kubernetes_namespace]\n          action: replace\n          target_label: kubernetes_namespace\n        - source_labels: [__meta_kubernetes_service_name]\n          action: replace\n          target_label: kubernetes_name \n
Run Code Online (Sandbox Code Playgroud)\n
apiVersion: apps/v1\nkind: Deployment\n \nmetadata:\n  name: prometheus-deployment\n  namespace: default\n  labels:\n    app: prometheus\n \nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: prometheus\n  template:\n    metadata:\n      labels:\n        app: prometheus\n    spec:\n      containers:\n        - name: prometheus\n          image: prom/prometheus:latest\n          ports:\n            - name: http\n              protocol: TCP\n              containerPort: 9090\n          volumeMounts:\n            - name: config\n              mountPath: /etc/prometheus/\n            - name: storage\n              mountPath: /prometheus/\n      volumes:\n        - name: config\n          configMap:\n            name: prometheus-config-map\n        - name: storage\n          emptyDir: {}\n\n
Run Code Online (Sandbox Code Playgroud)\n
apiVersion: v1\nkind: Service\n \nmetadata:\n  name: prometheus-service\n  namespace: default\n \nspec:\n  type: NodePort\n  selector:\n    app: prometheus\n  ports:\n    - name: http\n      protocol: TCP\n      port: 80\n      targetPort: 9090\n
Run Code Online (Sandbox Code Playgroud)\n

Jon*_*nas 21

用户“system:serviceaccount:default:default”无法在集群范围的 API 组“”中列出资源“端点”

用户“system:serviceaccount:default:default”无法在集群范围的 API 组“”中列出资源“pod”

用户“system:serviceaccount:default:default”无法在集群范围的 API 组“”中列出资源“services”

default在命名空间中使用 ServiceAccount 运行的某些default东西正在执行它没有权限的操作。

apiVersion: v1
kind: ServiceAccount
metadata:
  name: monitoring-service-account
Run Code Online (Sandbox Code Playgroud)

您在此处创建一个特定的 ServiceAccount。您还授予它一些集群范围的权限。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: prometheus-deployment
  namespace: default
Run Code Online (Sandbox Code Playgroud)

您在命名空间中运行 Prometheus default,但不指定特定的 ServiceAccount,因此它将使用 ServiceAccount 运行default

我认为你的问题是你应该设置在普罗米修斯的部署清单中创建的 ServiceAccount 。

  • 你是对的。我所要做的就是将“serviceAccountName:monitoring-service-account”添加到部署清单的“spec.spec”中。谢谢。 (5认同)

归档时间:

查看次数:

53134 次

最近记录:

4 年,7 月 前
相关归档
kubernetes 清理 pod、服务、部署等 7
Bazel - 在 Monorepo 中构建、推送、部署 Docker 容器到 Kubernetes 7
Go ONLY 在 kubernetes/CoreOS 上无效的头字段值 5
Kubernetes节点内存限制 5
如何使用 Istio 创建内部网关? 5
Istio 虚拟服务与普通 Kubernetes 服务的关系 5
kubectl current-context-是否可以保持多个当前上下文处于活动状态? 3
一个 Pod 如何拥有状态就绪和终止状态? 3
更改index.html nginx kubernetes部署 2
如何删除完整的kubernetes pod? 2
难疑归档
不同浏览器中URL的最大长度是多少? 4676
"INNER JOIN"和"OUTER JOIN"有什么区别? 4506
.NET中的decimal,float和double之间的区别? 2015
打印Java数组最简单的方法是什么? 1852
家谱软件中的循环 1594
使当前的Git分支成为主分支 1555
如何检查字符串是否包含Objective-C中的另一个字符串? 1200
哪些字符在CSS类名/选择器中有效? 1171
在Python中将两个列表转换为字典 1101
我怎么知道分支是否已经合并为主分支? 1077