服务帐户虽然具有权限“服务器错误(禁止):...”,但无法获得Pod。

时间:2018-07-02 12:33:20

标签: kubernetes token

我创建了一个服务帐户,并希望授予其列出Pod kubectl get pods的权限。

我对服务帐户,角色和角色绑定有以下设置:

ServiceAccount.yaml 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: myservice3

Role.yaml 

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: my-role
rules: 
- apiGroups: ["", "extensions", "apps"]
  resources: ["pods"]
  verbs: ["get"]

RoleBinding.yaml 

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  name: my-role-binding
  namespace: default
subjects: 
- kind: ServiceAccount 
  name: myservice3
  namespace: default
  apiGroup: ""
roleRef: 
  kind: Role
  name: my-role
  apiGroup: ""

我使用服务帐户的令牌创建了一个用户:

SECRET_NAME=`kubectl get serviceaccounts myservice3 -o json | jq -r '.secrets[].name'`
TOKEN=`kubectl get secrets $SECRET_NAME -o json | jq -r '.data | .token' | base64 -d`
kubectl config set-credentials $USER_NAME --token=$TOKEN

为此用户设置上下文:

kubectl config set-context my-context \
--cluster=kubernetes \
--namespace=default \
--user=$USER_NAME

当尝试使用其权限时:

$ kubectl get pods --context=my-context
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:myservice3" cannot list pods in the namespace "default"

我也尝试过使用curl

$ curl -k -v -H "Authorization: Bearer $TOKEN" https://127.0.0.1:6443
* About to connect() to 127.0.0.1 port 6443 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=kube-apiserver
*       start date: Jul 02 09:36:21 2018 GMT
*       expire date: Jul 02 09:36:21 2019 GMT
*       common name: kube-apiserver
*       issuer: CN=kubernetes
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:6443
> Accept: */*
> Authorization: Bearer <JWT_token>
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Mon, 02 Jul 2018 12:17:10 GMT
< Content-Length: 257
<
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:serviceaccount:default:myservice3\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
* Connection #0 to host 127.0.0.1 left intact

知道我在做什么错吗?我授予了服务帐户get pods的权限,但仍被禁止。

1 个答案:

答案 0 :(得分:2)

Role.yaml还必须具有kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: my-role rules: - apiGroups: ["", "extensions", "apps"] resources: ["pods"] verbs: ["get", "list"] 

get

list是获得单个物品的权限,而kubectl get pods --context=myservice3-context 是获得所有物品的权限。
现在可以在运行时使用:

curl -k -v -H "Authorization: Bearer <JWT_token> " https://127.0.0.1:6443/api/v1/namespaces/default/pods

OR 

[A-Z0-9]
相关问题
最新问题