即使角色和角色绑定有足够的权限,我的服务帐户也无法列出某些资源。
我看到这个错误
2023-09-08T15:30:21.875Z INFO controller k8s.io/[email protected]/tools/cache/reflector.go:169:
failed to list *v1.Lease: leases.coordination.k8s.io is forbidden: User "system:serviceaccount:karpenter:karpenter"
cannot list resource "leases" in API group "coordination.k8s.io"
in the namespace "kube-node-lease"
当我检查服务帐户身份验证时,我看到以下错误。
➜ ~ kubectl auth can-i get leases --as system:serviceaccount:karpenter:karpenter
error: You must be logged in to the server (the server has asked for the client to provide credentials (post selfsubjectaccessreviews.authorization.k8s.io))
角色/角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: karpenter-lease
namespace: kube-node-lease
labels:
helm.sh/chart: karpenter-v0.30.0
app.kubernetes.io/name: karpenter
app.kubernetes.io/instance: karpenter
app.kubernetes.io/version: "0.30.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: karpenter-lease
subjects:
- kind: ServiceAccount
name: karpenter
namespace: karpenter
---
# Source: karpenter/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: karpenter-lease
namespace: kube-node-lease
labels:
helm.sh/chart: karpenter-v0.30.0
app.kubernetes.io/name: karpenter
app.kubernetes.io/instance: karpenter
app.kubernetes.io/version: "0.30.0"
app.kubernetes.io/managed-by: Helm
rules:
# Read
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch"]
# Write
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["delete"]
AFAR,K8s 1.24 在服务帐户令牌中进行了一些重大更改,这就是为什么,我还为服务帐户创建了一个令牌,但它似乎不起作用。
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: karpenter
annotations:
kubernetes.io/service-account.name: karpenter
type: kubernetes.io/service-account-token
EOF
你们有遇到这样的问题吗?
感谢您的帮助。
要调试,您应该首先确保 Secret 和 serviceaccount 对象位于
Karpenter
命名空间中,因为根据您提供的 Secret 的 yaml 清单,没有命名空间字段。
还有一件事,根据命令看起来不太好,你必须指定命名空间:
kubectl auth can-i get leases --as system:serviceaccount:karpenter:karpenter \
--namespace kube-node-lease
根据第二个错误
error: You must be logged in to the server (the server has asked for the client to provide credentials (post selfsubjectaccessreviews.authorization.k8s.io))
:
这是一个非常常见的错误,与 API 服务器的身份验证问题有关。
因此,请确保您登录到正确的上下文,以检查您是否可以运行任何其他命令进行验证,例如:
kubectl config current-context #to view your current context
kubectl get rolebinding,role, sa --namespace karpenter