即使设置了RBAC权限,Kubernetes也会返回``禁止''

时间:2018-08-27 11:56:07

标签: kubernetes rbac

我正在尝试为serviceAccount创建一组适当的权限。 由于某种原因,它似乎忽略了我授予的权限,因此给了我很多错误。我看不到我做错了什么。我是否在错误的名称空间或类似名称中应用了某些内容?

我的角色:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: r-wercker-ingress-new
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["extensions"]
  resources: ["deployments"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]

我的RoleBinding:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: r-wercker-ingress-new
subjects:
- kind: ServiceAccount
  name: wercker
  namespace: kube-ingress
roleRef:
  kind: Role
  name: r-wercker-ingress-new
  apiGroup: rbac.authorization.k8s.io

关于角色的kubectl输出

kubectl describe role r-wercker-ingress-new
Name:         r-wercker-ingress-new
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"default"},"rules":[...
PolicyRule:
  Resources                             Non-Resource URLs  Resource Names  Verbs
  ---------                             -----------------  --------------  -----
  configmaps                            []                 []              [create delete patch update get watch list]
  deployments.extensions                []                 []              [create delete patch update get watch list]
  horizontalpodautoscalers.autoscaling  []                 []              [create delete patch update get watch list]
  namespaces                            []                 []              [create delete patch update get watch list]
  serviceaccounts                       []                 []              [create delete patch update get watch list]
  services                              []                 []              [create delete patch update get watch list]

关于RoleBinding的Kubectl输出

kubectl describe rolebinding r-wercker-ingress-new
Name:         r-wercker-ingress-new
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"default"},"r...
Role:
  Kind:  Role
  Name:  r-wercker-ingress-new
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  wercker  kube-ingress

尝试应用我的资源时出现错误输出:

Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d380 0xc4205982a0  kube-ingress resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4370  false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": namespaces "kube-ingress" is forbidden: User "system:serviceaccount:default:wercker" cannot get namespaces in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d440 0xc420599340 kube-ingress nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc420df43f8  false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": serviceaccounts "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get serviceaccounts in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d680 0xc4201e55e0  nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4500  false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": clusterroles.rbac.authorization.k8s.io "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get clusterroles.rbac.authorization.k8s.io at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d740 0xc4204c4770  nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4578  false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": clusterrolebindings.rbac.authorization.k8s.io "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get clusterrolebindings.rbac.authorization.k8s.io at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d800 0xc4204c5e30 kube-ingress ingress-nginx resources/kube-ingress/ingress-controller-nginx.yml 0xc420df45f0  false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": services "ingress-nginx" is forbidden: User "system:serviceaccount:default:wercker" cannot get services in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d8c0 0xc420134a10 kube-ingress ingress-nginx resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4660  false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": configmaps "ingress-nginx" is forbidden: User "system:serviceaccount:default:wercker" cannot get configmaps in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d980 0xc420145ab0 kube-ingress ingress-nginx resources/kube-ingress/ingress-controller-nginx.yml 0xc420df46f0  false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": deployments.extensions "ingress-nginx" is forbidden: User "system:serviceaccount:default:wercker" cannot get deployments.extensions in the namespace "kube-ingress"

编辑1:我尝试将资源移到相应的命名空间中,但仍然遇到相同的错误。

kubectl --namespace kube-ingress get role
NAME                    AGE
r-wercker-ingress-new   2m

kubectl --namespace kube-ingress describe role r-wercker-ingress-new
Name:         r-wercker-ingress-new
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"kube-ingress"},"rul...
PolicyRule:
  Resources                             Non-Resource URLs  Resource Names  Verbs
  ---------                             -----------------  --------------  -----
  configmaps                            []                 []              [create delete patch update get watch list]
  deployments.extensions                []                 []              [create delete patch update get watch list]
  horizontalpodautoscalers.autoscaling  []                 []              [create delete patch update get watch list]
  namespaces                            []                 []              [create delete patch update get watch list]
  serviceaccounts                       []                 []              [create delete patch update get watch list]
  services                              []                 []              [create delete patch update get watch list]

kubectl --namespace kube-ingress get rolebinding
NAME                              AGE
r-wercker-ingress-new             2m

kubectl --namespace kube-ingress describe rolebinding r-wercker-ingress-new
Name:         r-wercker-ingress-new
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"kube-ingress...
Role:
  Kind:  Role
  Name:  r-wercker-ingress-new
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  wercker  kube-ingress

仍然给出:

Error from server (Forbidden): error when retrieving current configuration of:
&{0xc420d14840 0xc420382620 kube-ingress nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc42160e560  false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": serviceaccounts "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get serviceaccounts in the namespace "kube-ingress"

我已删除并重新创建了Roles和RoleBindings

2 个答案:

答案 0 :(得分:3)

是的,看来您正在将资源应用到错误的名称空间中。如果要为命名空间kube-ingress设置这些权限,则需要在此命名空间中创建资源。

因此,您可以将此行添加到RoleRoleBindingServiceAccount的元数据中:

namespace: kube-ingress

使用RoleRoleBinding,您可以为单个名称空间定义权限。如果要创建群集范围的权限,可以使用ClusterRoleClusterRoleBinding

您还可以创建一个常见案例ClusterRole,然后使用RoleBinding将其绑定到单个名称空间。 k8s文档在这方面非常有帮助:https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole

答案 1 :(得分:2)

如Kubernetes松弛通道中所讨论的,您必须指定名称空间。

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: r-wercker-ingress-new
  namespace: kube-ingress
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["extensions"]
  resources: ["deployments"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
相关问题
最新问题