创建ServiceAccounts以访问Kubernetes部署

问题描述 投票:0回答:1

我想通过api服务器访问kubernetes部署对象。

我有一个服务帐户文件如下所示。

apiVersion: v1
kind: ServiceAccount
metadata:
  name: name
  namespace: namespace

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: name
  namespace: namespace
rules:
- apiGroups: [""]
  resources: ["deployment"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["deployment/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["deployment/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: name
  namespace: namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: name
subjects:
- kind: ServiceAccount
  name: name

在访问端点时,我收到403 Forbidden错误与此服务帐户所有者的令牌

/apis/apps/v1beta1/namespaces/namespace/deployments
kubernetes rbac
1个回答
2
投票

所有角色的规则都适用于核心(空)API group。但是,您尝试访问的网址/apis/apps/v1beta1位于“apps”API组(/apis之后的路径部分)。因此,要访问该特定API路径,您需要将角色定义更改为

rules:
- apiGroups: ["apps"]
  resources: ["deployment"]
  verbs: ["create","delete","get","list","patch","update","watch"]
# and also the other deployment subpaths
© www.soinside.com 2019 - 2024. All rights reserved.