我试图在我的环境中部署Istio并遇到以下错误。所有在线解决方案都是关于集群讨论的,我试过这样做但是却失败了。我问题的任何输入?
kubectl api-versions | grep rbac
rbac.authorization.k8s.io/v1alpha1
rbac.authorization.k8s.io/v1beta1
sudo kubectl apply -f install / kubernetes / istio-rbac-beta.yaml
rolebinding "istio-pilot-admin-role-binding" configured
rolebinding "istio-ca-role-binding" configured
rolebinding "istio-ingress-admin-role-binding" configured
rolebinding "istio-sidecar-role-binding" configured
Error from server (Forbidden):
error when creating"install/kubernetes/istio-rbac-beta.yaml":
clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden:
attempt to grant extra privileges: [{[*] [istio.io] [istioconfigs] []
[]} {[*] [istio.io] [istioconfigs.istio.io] [] []} {[*] [extensions]
[thirdpartyresources] [] []} {[*] [extensions]
[thirdpartyresources.extensions] [] []} {[*] [extensions] [ingresses]
[] []} {[*] [] [configmaps] [] []} {[*] [] [endpoints] [] []} {[*] []
[pods] [] []} {[*] [] [services] [] []}] user=&{kubeconfig
[system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating
"install/kubernetes/istio-rbac-beta.yaml":
clusterroles.rbac.authorization.k8s.io "istio-ca" is forbidden:
attempt to grant extra privileges: [{[create] [] [secrets] [] []}
{[get] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[list] []
[secrets] [] []} {[watch] [] [serviceaccounts] [] []} {[list] []
[serviceaccounts] [] []}] user=&{kubeconfig [system:authenticated]
map[]} ownerrules=[] ruleResolutionErrors=[]
Error from server (Forbidden): error when creating
"install/kubernetes/istio-rbac-beta.yaml":
clusterroles.rbac.authorization.k8s.io "istio-sidecar" is forbidden:
attempt to grant extra privileges: [{[get] [istio.io] [istioconfigs] []
[]} {[watch] [istio.io] [istioconfigs] [] []} {[list] [istio.io]
[istioconfigs] [] []} {[get] [extensions] [thirdpartyresources] [] []}
{[watch] [extensions] [thirdpartyresources] [] []} {[list] [extensions]
[thirdpartyresources] [] []} {[update] [extensions]
[thirdpartyresources] [] []} {[get] [extensions] [ingresses] [] []}
{[watch] [extensions] [ingresses] [] []} {[list] [extensions]
[ingresses] [] []} {[update] [extensions] [ingresses] [] []} {[get] []
[configmaps] [] []} {[watch] [] [configmaps] [] []} {[list] []
[configmaps] [] []} {[get] [] [pods] [] []} {[watch] [] [pods] [] []}
{[list] [] [pods] [] []} {[get] [] [endpoints] [] []} {[watch] []
[endpoints] [] []} {[list] [] [endpoints] [] []} {[get] [] [services]
[] []} {[watch] [] [services] [] []} {[list] [] [services] [] []}]
user=&{kubeconfig [system:authenticated] map[]} ownerrules=[]
ruleResolutionErrors=[]
答案 0 :(得分:2)
Kubernetes给出的错误基本上意味着它认为你想要做的就是权限升级(这是正确的)并试图阻止它。
RBAC API通过编辑角色或角色绑定来防止用户升级权限。由于这是在API级别强制实施的,因此即使RBAC授权程序未在使用中也适用。 用户只能创建/更新角色,如果他们已经拥有角色中包含的所有权限,与角色在同一范围内(ClusterRole的群集范围内,在同一命名空间内或角色的群集范围内)。例如,如果“user-1”无法在群集范围内列出机密,则无法创建包含该权限的ClusterRole。 (取自here)
原因是因为对您用来访问群集的用户应用的ClusterRole(使用ClusterRoleBinding)实际上并没有您尝试为应用程序提供的所有权限。要解决此问题,您需要创建一个ClusterRoleBinding,为您的用户提供必要的权限。在您的情况下,将您绑定到cluster-admin角色是有意义的,该角色为您提供无限制的权限。
要做到这一点,你可以运行类似的东西:
kubectl create clusterrolebinding --clusterrole cluster-admin --user your-user
答案 1 :(得分:1)
为了防止升级攻击,RBAC API不允许您创建具有您的用户当前没有的权限的角色(或角色绑定到包含您没有的权限的角色)
该消息告诉您,您尝试创建的角色具有当前用户(username = kubeconfig)没有的权限
答案 2 :(得分:0)
我遇到了类似的问题。你在Azure上运行Kubernetes吗?
我在这里发布了针对Istio的问题:https://github.com/istio/issues/issues/48
请原谅我发布答案,因为StackOverflow不允许我发表评论,因为我没有足够的声誉。