我创建了自己的应用程序特定头盔包,并通过头盔进行安装,一切正常。
但是当我尝试通过稳定的掌舵图表(如标准说明中指定的那样)安装nginx时,我的错误越来越小,
root@ip-172-31-27-86:~/helm# helm install --name my-nginx stable/nginx-ingress
Error: release tinseled-billygoat failed: clusterroles.rbac.authorization.k8s.io "tinseled-billygoat-nginx-ingress" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["patch"]} PolicyRule{Resources:["ingresses/status"], APIGroups:["extensions"], Verbs:["update"]}] user=&{system:serviceaccount:kube-system:default bdf8f2bc-84e2-11e8-8fa3-02f0fae19e8e [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]
头盔列表,其中包含图表详细信息。
root@ip-172-31-27-86:/home/appHome/HelmPackages# helm list
NAME REVISION UPDATED STATUS CHART NAMESPACE
my-nginx 1 Wed Jul 11 11:02:37 2018 FAILED nginx-ingress-0.22.1 default
nodeapp1 1 Wed Jul 11 10:36:23 2018 DEPLOYED nodeapp-helm-0.1.0 default
这似乎是rbac的问题,但是我之前已经成功部署了nginx类似产品。但是,现在我第一次面对这个问题,所以不确定在哪里可能出错。
任何帮助表示赞赏
答案 0 :(得分:0)
像头盔服务帐户之类的声音没有授予您的nginx入口图尝试创建的某些特权。如果执行此操作的用户自己没有此访问权限,RBAC将不允许创建特定的访问权限,这在避免委派访问权限时避免特权升级是很合逻辑的。
答案 1 :(得分:0)
我尝试通过使用服务帐户重新安装头盔,
kubectl创建serviceaccount --namespace kube-system分er kubectl创建clusterrolebinding分er-集群规则--clusterrole =集群管理--serviceaccount = kube-system:tiller helm init-服务帐户分er器
但是,仍然遇到相同的问题仍然没有帮助。
但是,为了快速测试环境,我在安装nginx时设置了此属性
--set rbac.create=false
现在Nginx可以正常工作,但是不建议将其用于生产服务器。
helm install --name my-nginx stable/nginx-ingress --set rbac.create=false