我想通过api服务器访问kubernetes部署对象。
我有一个如下所示的服务帐户文件。
apiVersion: v1
kind: ServiceAccount
metadata:
name: name
namespace: namespace
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: name
namespace: namespace
rules:
- apiGroups: [""]
resources: ["deployment"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["deployment/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["deployment/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: name
namespace: namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: name
subjects:
- kind: ServiceAccount
name: name
在访问端点时,我收到403 Forbidden错误,该服务帐户拥有者的令牌
/apis/apps/v1beta1/namespaces/namespace/deployments
答案 0 :(得分:2)
您所有角色的规则都是针对核心(空)API group的。但是,您尝试访问的URL /apis/apps/v1beta1在“ apps” API组中(/apis之后的路径的一部分)。因此,要访问该特定的API路径,您需要将角色定义更改为
rules:
- apiGroups: ["apps"]
resources: ["deployment"]
verbs: ["create","delete","get","list","patch","update","watch"]
# and also the other deployment subpaths