我刚刚使用运行Kubernetes 1.7.5的Google容器引擎创建了一个新的群集,并启用了新的RBAC权限.我遇到了为我的一些服务分配权限的问题,这些问题引导我进行以下操作:
使用RBAC容器引擎的文档声明必须通过运行以下命令授予用户创建授权角色的能力:
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>]
但是,由于缺少权限,这会失败(我假设这些权限与我们尝试通过运行上述命令授予的权限完全相同).
Error from server (Forbidden):
User "<user-name>" cannot create clusterrolebindings.rbac.authorization.k8s.io at the cluster scope.:
"Required \"container.clusterRoleBindings.create\" permission."
(post clusterrolebindings.rbac.authorization.k8s.io)
任何帮助将不胜感激,因为这阻止我创建我的集群服务所需的权限.
permissions google-cloud-platform kubernetes google-kubernetes-engine
创建新的GKE集群后,创建集群角色失败,并显示以下错误:
Error from server (Forbidden): error when creating "./role.yaml":
clusterroles.rbac.authorization.k8s.io "secret-reader" is forbidden:
attempt to grant extra privileges: [PolicyRule{Resources:["secrets"],
APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"],
APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"],
APIGroups:[""], Verbs:["list"]}] user=&{XXX@gmail.com
[system:authenticated] map[authenticator:[GKE]]} ownerrules= .
[PolicyRule{Resources:["selfsubjectaccessreviews"
"selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:
["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis"
"/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json"
"/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}]
ruleResolutionErrors=[]
我的帐户在IAM中具有以下权限:
Kubernetes Engine Admin
Kubernetes引擎集群管理员
所有者
这是我的role.yaml(来自Kubernetes文档):
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
根据RBAC的GCloud文档,我需要 …
rbac google-cloud-platform kubernetes google-kubernetes-engine