我的1.9群集为开发者用户创建了此部署角色。部署按预期工作。现在我想给exec和日志访问开发人员。我需要为exec添加什么角色?
kind: Role
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
错误讯息:
kubectl exec nginx -it -- sh
Error from server (Forbidden): pods "nginx" is forbidden: User "dev" cannot create pods/exec in the namespace "dev"
由于 SR
答案 0 :(得分:13)
大多数资源都由其名称的字符串表示形式表示,例如“pods”,就像它出现在相关API端点的URL中一样。但是,一些Kubernetes API涉及“子资源”,例如pod的日志。 [...]要以RBAC角色表示,请使用斜杠来分隔资源和子资源。
要让主题阅读pod和pod日志,并且能够执行进入pod,你会写:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-and-pod-logs-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]