Kubernetes:自定义资源的RBAC授权失败

时间:2019-04-25 09:11:40

标签: kubernetes rbac kubernetes-custom-resources

922:johndoe:db-operator:(master)λ kubectl version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.6", GitCommit:"6260bb08c46c31eea6cb538b34a9ceb3e406689c", GitTreeState:"clean", BuildDate:"2017-12-21T06:34:11Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.12-gke.14", GitCommit:"021f778af7f1bd160d8fba226510f7ef9c9742f7", GitTreeState:"clean", BuildDate:"2019-03-30T19:30:57Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}

我创建了一个自定义资源定义以及用于控制该资源的运算符,但是该运算符在运行时出现“禁止”错误。

自定义资源定义yamlrole.yamlrole_bidning.yaml是:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: db-operator
rules:
  - apiGroups: ['']
    resources: ['pods', 'configmaps']
    verbs: ['get']
  - apiGroups: ['']
    resources: ['configmaps']
    verbs: ['create']
  - apiGroups: ['']
    resources: ['secrets']
    verbs: ['*']
  - apiGroups: ['']
    resources: ['databaseservices.app.example.com', 'databaseservices', 'DatabaseServices']

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: db-operator
subjects:
  - kind: ServiceAccount
    name: db-operator
    namespace: default
roleRef:
  kind: Role
  name: db-operator
  apiGroup: rbac.authorization.k8s.io

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: databaseservices.app.example.com
spec:
  group: app.example.com
  names:
    kind: DatabaseService
    listKind: DatabaseServiceList
    plural: databaseservices
    singular: databaseservice
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description:
            'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description:
            'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          type: object
        status:
          type: object
  version: v1alpha1
  versions:
    - name: v1alpha1
      served: true
      storage: true
  • 请注意,我正在尝试通过复数名称,带有组的名称以及种类来引用自定义资源。

从“角色”定义中可以看到,对其他资源的权限似乎起作用。

但是操作员总是会犯以下错误:

E0425 09:02:04.687611       1 reflector.go:134] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.DatabaseService: databaseservices.app.example.com is forbidden: User "system:serviceaccount:default:db-operator" cannot list databaseservices.app.example.com in the namespace "default"

知道是什么原因造成的吗?

1 个答案:

答案 0 :(得分:1)

尝试为您的自定义资源使用此角色定义:

- apiGroups: ['app.example.com']
  resources: ['databaseservices']
  verbs: ['*']