922:johndoe:db-operator:(master)λ kubectl version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.6", GitCommit:"6260bb08c46c31eea6cb538b34a9ceb3e406689c", GitTreeState:"clean", BuildDate:"2017-12-21T06:34:11Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.12-gke.14", GitCommit:"021f778af7f1bd160d8fba226510f7ef9c9742f7", GitTreeState:"clean", BuildDate:"2019-03-30T19:30:57Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}
我创建了一个自定义资源定义以及一个操作符来控制该资源,但是运算符在运行时会收到“禁止”错误。
自定义资源定义yaml,role.yaml和role_bidning.yaml是:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: db-operator
rules:
- apiGroups: ['']
resources: ['pods', 'configmaps']
verbs: ['get']
- apiGroups: ['']
resources: ['configmaps']
verbs: ['create']
- apiGroups: ['']
resources: ['secrets']
verbs: ['*']
- apiGroups: ['']
resources: ['databaseservices.app.example.com', 'databaseservices', 'DatabaseServices']
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: db-operator
subjects:
- kind: ServiceAccount
name: db-operator
namespace: default
roleRef:
kind: Role
name: db-operator
apiGroup: rbac.authorization.k8s.io
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: databaseservices.app.example.com
spec:
group: app.example.com
names:
kind: DatabaseService
listKind: DatabaseServiceList
plural: databaseservices
singular: databaseservice
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description:
'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
kind:
description:
'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
status:
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
在角色定义中可见,其他资源的权限似乎有效。
然而,操作员总是错误:
E0425 09:02:04.687611 1 reflector.go:134] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.DatabaseService: databaseservices.app.example.com is forbidden: User "system:serviceaccount:default:db-operator" cannot list databaseservices.app.example.com in the namespace "default"
知道可能导致这种情况的原因吗?
尝试使用此自定义资源的角色定义:
- apiGroups: ['app.example.com']
resources: ['databaseservices']
verbs: ['*']