我创建了一个具有创建角色和角色绑定权限的服务帐户,但是可惜的是,当尝试创建角色时,它会出错。似乎IAM权限优先?怎么可能呢?
我收到此错误:
You either need to be cluster-admin or create a service-account that have the permission "Required "container.roles.create" permission."
我可能可以通过提供serviceaccount cluster-admin来解决此问题,但这太广泛了,因为serviceaccount无法访问所有内容。
apiVersion: v1
kind: ServiceAccount
metadata:
name: rbac-sync
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: role-creator
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rbac-sync-role-creator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: role-creator
subjects:
- kind: ServiceAccount
name: rbac-sync
namespace: default
答案 0 :(得分:0)
根据GCP文档setting up Role-Based access control:
由于创建角色或ClusterRole时GKE检查权限的方式,必须首先创建一个RoleBinding,该角色授予您要创建的角色中包含的所有权限。 一种解决方法是创建一个RoleBinding,在尝试创建其他Role或ClusterRole权限之前,为您的Google身份赋予集群管理员角色。