创建“install / kubernetes / istio-rbac-beta.yaml”时出错

时间:2017-08-10 16:48:00

标签: kubernetes istio

我试图在我的环境中部署Istio并遇到以下错误。所有在线解决方案都是关于集群讨论的,我试过这样做但是却失败了。我问题的任何输入?

kubectl api-versions | grep rbac

rbac.authorization.k8s.io/v1alpha1
rbac.authorization.k8s.io/v1beta1

sudo kubectl apply -f install / kubernetes / istio-rbac-beta.yaml

rolebinding "istio-pilot-admin-role-binding" configured
rolebinding "istio-ca-role-binding" configured
rolebinding "istio-ingress-admin-role-binding" configured
rolebinding "istio-sidecar-role-binding" configured

Error from server (Forbidden): 
error when creating"install/kubernetes/istio-rbac-beta.yaml": 
clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden:
attempt to grant extra privileges: [{[*] [istio.io] [istioconfigs] [] 
[]} {[*] [istio.io] [istioconfigs.istio.io] [] []} {[*] [extensions] 
[thirdpartyresources] [] []} {[*] [extensions] 
[thirdpartyresources.extensions] [] []} {[*] [extensions] [ingresses] 
[] []} {[*] [] [configmaps] [] []} {[*] [] [endpoints] [] []} {[*] [] 
[pods] [] []} {[*] [] [services] [] []}] user=&{kubeconfig  
[system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]

Error from server (Forbidden): error when creating 
"install/kubernetes/istio-rbac-beta.yaml": 
clusterroles.rbac.authorization.k8s.io "istio-ca" is forbidden: 
attempt to grant extra privileges: [{[create] [] [secrets] [] []} 
{[get] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[list] [] 
[secrets] [] []} {[watch] [] [serviceaccounts] [] []} {[list] [] 
[serviceaccounts] [] []}] user=&{kubeconfig  [system:authenticated] 
map[]} ownerrules=[] ruleResolutionErrors=[]

Error from server (Forbidden): error when creating 
"install/kubernetes/istio-rbac-beta.yaml": 
clusterroles.rbac.authorization.k8s.io "istio-sidecar" is forbidden: 
attempt to grant extra privileges: [{[get] [istio.io] [istioconfigs] [] 
[]} {[watch] [istio.io] [istioconfigs] [] []} {[list] [istio.io] 
[istioconfigs] [] []} {[get] [extensions] [thirdpartyresources] [] []} 
{[watch] [extensions] [thirdpartyresources] [] []} {[list] [extensions] 
[thirdpartyresources] [] []} {[update] [extensions] 
[thirdpartyresources] [] []} {[get] [extensions] [ingresses] [] []} 
{[watch] [extensions] [ingresses] [] []} {[list] [extensions] 
[ingresses] [] []} {[update] [extensions] [ingresses] [] []} {[get] [] 
[configmaps] [] []} {[watch] [] [configmaps] [] []} {[list] [] 
[configmaps] [] []} {[get] [] [pods] [] []} {[watch] [] [pods] [] []} 
{[list] [] [pods] [] []} {[get] [] [endpoints] [] []} {[watch] [] 
[endpoints] [] []} {[list] [] [endpoints] [] []} {[get] [] [services] 
[] []} {[watch] [] [services] [] []} {[list] [] [services] [] []}] 
user=&{kubeconfig  [system:authenticated] map[]} ownerrules=[] 
ruleResolutionErrors=[]

3 个答案:

答案 0 :(得分:2)

Kubernetes给出的错误基本上意味着它认为你想要做的就是权限升级(这是正确的)并试图阻止它。

  

RBAC API通过编辑角色或角色绑定来防止用户升级权限。由于这是在API级别强制实施的,因此即使RBAC授权程序未在使用中也适用。   用户只能创建/更新角色,如果他们已经拥有角色中包含的所有权限,与角色在同一范围内(ClusterRole的群集范围内,在同一命名空间内或角色的群集范围内)。例如,如果“user-1”无法在群集范围内列出机密,则无法创建包含该权限的ClusterRole。   (取自here

原因是因为对您用来访问群集的用户应用的ClusterRole(使用ClusterRoleBinding)实际上并没有您尝试为应用程序提供的所有权限。要解决此问题,您需要创建一个ClusterRoleBinding,为您的用户提供必要的权限。在您的情况下,将您绑定到cluster-admin角色是有意义的,该角色为您提供无限制的权限。

要做到这一点,你可以运行类似的东西:

kubectl create clusterrolebinding --clusterrole cluster-admin --user your-user

答案 1 :(得分:1)

为了防止升级攻击,RBAC API不允许您创建具有您的用户当前没有的权限的角色(或角色绑定到包含您没有的权限的角色)

该消息告诉您,您尝试创建的角色具有当前用户(username = kubeconfig)没有的权限

有关详细信息,请参阅https://kubernetes.io/docs/admin/authorization/rbac/#privilege-escalation-prevention-and-bootstrapping

答案 2 :(得分:0)

我遇到了类似的问题。你在Azure上运行Kubernetes吗?

我在这里发布了针对Istio的问题:https://github.com/istio/issues/issues/48

请原谅我发布答案,因为StackOverflow不允许我发表评论,因为我没有足够的声誉。