RBAC在非默认命名空间中与用户发生问题

时间:2017-08-10 19:59:36

标签: kubernetes rbac kubectl

上周我在CentOS7上创建了一个带有kubeadm的集群,版本为1.7.3。我按照Bitnami中的步骤为新命名空间中的用户创建证书和配置,为RBAC创建新上下文。用户可以使用config对集群进行身份验证,并且他的kubectl命令保留在命名空间中。他尝试运行部署并从服务器获取错误。他的服务创造但不是部署,所以我对创造事物的部分能力感到困惑。

作用:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: dev
  name: deployment-manager
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

Rolebinding:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployment-manager-binding
  namespace: dev
subjects:
- kind: User
  name: $ID
  apiGroup: ""
roleRef:
  kind: Role
  name: deployment-manager
  apiVersion: rbac.authorization.k8s.io/v1beta1


# kubectl get namespaces
NAME                 STATUS    AGE
default              Active    6d
kube-public          Active    6d
kube-system          Active    6d
dev                  Active    1d


kubectl config get-contexts
CURRENT   NAME                          CLUSTER      AUTHINFO       NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin
          dev                           kubernetes     $ID          dev

用户的kubeconfig 

$ kubectl config view
  apiVersion: v1
  clusters:
  - cluster:
      certificate-authority-data: REDACTED
      server: https://$IP:6443
    name: kubernetes
  contexts:
  - context:
      cluster: kubernetes
      namespace: dev
      user: $ID 
    name: dev 
  current-context: dev
  kind: Config
  preferences: {}
  users:
  - name: $ID
    user:
      client-certificate-data: REDACTED
      client-key-data: REDACTED

用户尝试

[$ID]$ kubectl create -f k8s.yml --record
service "aggregator-service" created
Error from server (Forbidden): error when creating "k8s.yml": User "$ID" cannot create deployments.apps in the namespace "dev". (post deployments.apps)

[$ID ~]$ kubectl get svc
NAME                 CLUSTER-IP      EXTERNAL-IP   PORT(S)                         AGE
aggregator-service   10.xxx.xxx.xxx   <pending>     8090:32524/TCP,8091:30329/TCP   24

k8s.yml 

apiVersion: v1
kind: Service
metadata:
  name: aggregator-service
  labels:
    app: aggregator
    tier: agg
spec:
  type: LoadBalancer
  ports:
  - port: 8090
    targetPort: 8090
    name: http
  - port: 8091
    targetPort: 8091
    name: http-admin
  selector:
    app: aggregator
    tier: agg
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: aggregator-deployment
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app:  aggregator
        tier: agg
    spec:
      containers:
      - name: aggregator-service
        image: $IMAGE
        ports:
        - containerPort: 8090

任何正确方向的指针都将受到赞赏! 感谢。

0 个答案:

没有答案
相关问题
最新问题