我正在尝试使用 RBAC 授予用户对特定资源的访问权限。我已经定义了一个角色和一个角色绑定,两者都在同一名称空间下。尽管上下文标识要使用该命名空间和用户,但该用户无权访问该资源。
角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: l
rules:
- apiGroups: [v1]
resources: [secrets]
verbs: [get, list, create, update, patch, delete]
- apiGroups: [v1]
resources: [pods]
verbs: [get, watch, list]
角色绑定:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: l
namespace: default
subjects:
- kind: User
name: l
namespace: default
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: l
apiGroup: rbac.authorization.k8s.io
背景:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: xx
server: xx
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: default
user: l
name: l
current-context: l
kind: Config
preferences: {}
users:
- name: l
user:
client-certificate-data: xx
client-key-data: xx
验证是否缺少权限:
kubectl get pods --kubeconfig=l/l-k8s-config
Error from server (Forbidden): pods is forbidden: User "l" cannot list resource "pods" in API group "" in the namespace "default"
kubectl get secrets --kubeconfig=l/l-k8s-config
Error from server (Forbidden): secrets is forbidden: User "l" cannot list resource "secrets" in API group "" in the namespace "default"
kubectl auth can-i get secrets -n default --kubeconfig=l/l-k8s-config
no
Kubernetes 中的每个资源都有一个 api 组和一个 api 版本。当看到类似的东西时:
apiVersion: apps/v1
apps
是组,v1
是版本。
对于Pod、Secrets等核心资源,没有api组,版本为
v1
。创建角色时,需要将apiGroup
设置为""
。例如,看一下默认的 edit
角色,其中包括:
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
您需要更新您的角色,使其显示为:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: myrole
rules:
- apiGroups: [""]
resources: [secrets]
verbs: [get, list, create, update, patch, delete]
- apiGroups: [""]
resources: [pods]
verbs: [get, watch, list]
您在问题中显示的错误消息中清楚地说明了这一点:
来自服务器的错误(禁止):pod 被禁止:用户“l”无法在命名空间“default”中的 API 组“”中列出资源“pods”