我在集群中有两个吊舱。让我们将它们称为A和B。我已经在吊舱A中安装了kubectl,我正尝试使用kubectl exec -it podB -- bash在吊舱A中的吊舱B中运行命令。
我收到以下错误
Error from server (Forbidden): pods "B" is forbidden: User "system:serviceaccount:default:default" cannot create pods/exec in the namespace "default"
我创建了以下Role和RoleBinding以获取访问权限。 角色yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: api-role
namespace: default
labels:
app: tools-rbac
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
角色绑定Yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: global-rolebinding
namespace: default
labels:
app: tools-rbac
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
任何帮助将不胜感激。谢谢
答案 0 :(得分:3)
除了pods/exec之外,您还需要授予对pods子资源的访问权限,就像那里一样。也就是说,这是一件很奇怪的事情,可能很难思考这是否是最佳解决方案。