我在尝试将KubeIP部署到GKE时看到RBAC失败。
我已将问题分离到KubeIP infrastructure的以下部分:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubeip-sa
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch","patch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","list","watch"]
我从kubectl和GKE收到以下错误:
服务器出错(禁止):创建“template.yml”时出错:clusterroles.rbac.authorization.k8s.io“kubeip-sa”被禁止:尝试授予额外权限:[{[get] [] [nodes] [ ] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []} {[patch] [] [nodes] [] []} {[get] [] [pods] [] []} {[list] [] [pods] [] []} {[watch] [] [pods] [] []}] user =&{108986779198363313539 [system:authenticated] map [user-assertion.cloud.google.com:[AKUJVpldMDXqrDZ2slnJReDbLytxt6P2EEyEBbLNRB90oOATH4vIURo/lIhaBuAj9nnwwyxJDSxj2OdCyjjgBC/s5QxftIJnr8128ToTglCzk+e8Wybt4heIizRHugWnIhKNqkF+B0yiv0pIxgOfakma+SbkzbQbVzJPtgxsmHmak30YfPA58n/xyJ8R7oNVJ5dFUAWDFNsqHf/auolViw0Zd7Cr4aYYDXX4GScw==]]} ownerrules = [{[创建] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/ api / api / * / apis / apis / * / healthz / openapi / openapi / * /swagger-2.0.0.pb-v1 /swagger.json / swaggerapi / swaggerapi / * / version / version /]}] ruleResolutionErrors = []
我通过发出创建了适当的〜/ .kubeconfig
gcloud container clusters get-credentials <cluster> \
--zone <zone> \
--project <project>
我正在使用的gcloud服务帐户已在相关的GKE集群中被授予cluster-admin
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user $(gcloud config get-value account)
我可以验证我的服务帐户用户是否应该使用cluster-admin角色检查我当前的gcloud用户并检查GKE ClusterRoleBinding
$ gcloud config get-value account
terraform@<project>.iam.gserviceaccount.com
$ kubectl describe clusterrolebinding cluster-admin-binding
Name: cluster-admin-binding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
User terraform@<project>.iam.gserviceaccount.com
根据kubectl我应该能够创建ClusterRoleBindings
$ kubectl auth can-i create clusterrolebinding
yes
有人看到我错过了GKE RBAC的哪些元素?
这个问题“Creating a ClusterRole as the default compute service account fails with extra privileges error”的答案引导我解决问题。
如果将ClusterRoleBinding映射到服务帐户ID而不是电子邮件,则一切都按预期工作。
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user $(gcloud iam service-accounts describe <service account email> --format="value(uniqueId)")