我正在将应用程序部署到我的Kubernetes集群,该应用程序使用Kubernetes API列出集群中的Pod(不仅是其命名空间中的Pod)。该应用程序将位于其自己的名称空间中。
RBAC规则如下;
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kubecontrol-rbac-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: kubecontrol-rbac-role-binding
namespace: kubecontrol
subjects:
- kind: ServiceAccount
namespace: kubecontrol
name: default
roleRef:
kind: ClusterRole
name: kubecontrol-rbac-role
apiGroup: rbac.authorization.k8s.io
[您可以看到我有一个ClusterRole,它授予“ pods”资源的“列表”,“获取”和“监视”权限,以及一个RoleBinding,它将这个ClusterRole应用于命名空间的default
ServiceAccount。 >
当我用kubectl auth can-in
检查授权时,此配置将appear
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods yes
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods --v=8 ... I0326 23:17:05.125188 56505 request.go:947] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"kubecontrol","verb":"list","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"kubecontrol-rbac-role-binding/kubecontrol\" of ClusterRole \"kubecontrol-rbac-role\" to ServiceAccount \"default/kubecontrol\""}}
RBAC:由ClusterRole“ kubecontrol-rbac-role”的RoleBinding“ kubecontrol-rbac-role-binding / kubecontrol”允许到ServiceAccount“ default / kubecontrol”
但是,当我实际尝试执行该操作时,被告知我不允许这样做;
$ kubectl get pod --as=system:serviceaccount:kubecontrol:default --all-namespaces Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kubecontrol:default" cannot list resource "pods" in API group "" at the cluster scope
我在应用程序中看到相同的错误消息。
用户(system:serviceaccount:kubecontrol:default
)在两种情况下都是相同的,所以即使根据Kubernetes本身,我为什么也不能list pods
我正在将应用程序部署到我的Kubernetes集群,该应用程序使用Kubernetes API列出集群中的Pod(不仅是其命名空间中的Pod)。该应用程序将位于其自己的名称空间中。 ...
使用--all-namespaces
,您将在集群的所有名称空间中列出Pod。但是,由于仅使用了RoleBinding
,因此仅具有给定名称空间(在您的情况下是名称空间ClusterRole
)的kubecontrol
权限。您必须使用ClusterRoleBinding
代替整个群集的ClusterRole
。