如何在Google Kubernetes Engine for KubeIP中部署ClusterRoleBinding

时间:2019-03-28 17:10:50

标签: kubernetes google-kubernetes-engine kubectl rbac

尝试将KubeIP部署到GKE时,我看到RBAC失败。

我已将问题隔离到KubeIP infrastructure的以下部分:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubeip-sa
  namespace: kube-system
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch","patch"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","list","watch"]

我从kubectl和GKE中收到以下错误:

  

来自服务器的错误(禁止):创建“ template.yml”时出错:clusterroles.rbac.authorization.k8s.io禁止“ kubeip-sa”:尝试授予额外的特权:[{[get] [] [节点] [] []} {[列表] [] [节点] [] []} {[手表] [] [节点] [] []} {[补丁] [] [节点] [] []} { [get] [] [pods] [] []} {[列表] [] [pods] [] []} {[watch] [] [pods] [] []}] user =&{108986779198363313539 [system:身份验证]图[user-assertion.cloud.google.com:[AKUJVpldMDXqrDZ2slnJReDbLytxt6P2EEyEBbLNRB90oOATH4vIURo / lIhaBuAj9nnwwyxJDSxj2OdCyjjgBC / s5QxftIJnr8128ToTglCzk + e8Wybt4heIizRHugWnIhKNqkF + B0yiv0pIxgOfakma + SbkzbQbVzJPtgxsmHmak30YfPA58n / xyJ8R7oNVJ5dFUAWDFNsqHf / auolViw0Zd7Cr4aYYDXX4GScw ==]]} ownerrules = [{[创建] [authorization.k8s.io] [ selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[获取] [] [] [] [/ api / api / * / apis / apis / * / healthz / openapi / openapi / * /swagger-2.0.0.pb-v1 / swagger.json / swaggerapi / swaggerapi / * / version / version /]}] ruleResolutionErrors = []

我通过发出

来创建适当的〜/ .kube / config 
gcloud container clusters get-credentials <cluster> \
  --zone <zone> \
  --project <project>

我正在使用的gcloud服务帐户已被授予有关GKE群集中的cluster-admin 

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user $(gcloud config get-value account)

我可以验证我的服务帐户用户应具有cluster-admin角色,以检查我当前的gcloud用户并检查GKE ClusterRoleBinding 

$ gcloud config get-value account
terraform@<project>.iam.gserviceaccount.com

$ kubectl describe clusterrolebinding cluster-admin-binding
Name:         cluster-admin-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind  Name                                                Namespace
  ----  ----                                                ---------
  User  terraform@<project>.iam.gserviceaccount.com

根据kubectl我应该能够创建ClusterRoleBindings 

$ kubectl auth can-i create clusterrolebinding
yes

有人看到我缺少GKE RBAC的哪些内容吗?

1 个答案:

答案 0 :(得分:0)

这个问题“ Creating a ClusterRole as the default compute service account fails with extra privileges error”的答案将我引向了解决方案。

如果您将ClusterRoleBinding映射到服务帐户ID而不是电子邮件,则一切正常。

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user $(gcloud iam service-accounts describe <service account email> --format="value(uniqueId)")
相关问题
最新问题