我在gce中有一个mongo数据库。 (参见下文)
当我将其部署到 1.7.12-gke.1 时,一切正常。这意味着边车解析了吊舱和链接
现在当我将相同的配置部署到 1.8.7-gke.1 时,导致缺少列出pod的权限,请参阅下文。
我不明白改变了什么。我假设我需要为用户帐户分配特定权限吗?
我错过了什么?
错误日志
1:ind配置:
message: 'pods is forbidden: User "system:serviceaccount:default:default" cannot list pods at the cluster scope: Unknown user "system:serviceaccount:default:default"',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | status: 'Failure',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | metadata: {},
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | apiVersion: 'v1',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | { kind: 'Status',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | message:
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | Error in workloop { [Error: [object Object]]
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | statusCode: 403 }
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | code: 403 },
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | details: { kind: 'pods' },
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | reason: 'Forbidden',
答案 0 :(得分:7)
根据原始解决方案:https://github.com/cvallance/mongo-k8s-sidecar/issues/75
您必须创建角色绑定,授予默认服务帐户查看权限:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: default-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: default
namespace: default