服务帐户无法删除资源，即使它应该有权删除资源

Question

我有一个服务帐户monitoring:prometheus-operator-operator，并且该群集角色已绑定到该群集角色：

Name:         prometheus-operator-operator
Labels:       app=prometheus-operator-operator
              chart=prometheus-operator-5.7.0
              heritage=Tiller
              release=prometheus-operator
Annotations:  <none>
PolicyRule:
  Resources                                       Non-Resource URLs  Resource Names  Verbs
  ---------                                       -----------------  --------------  -----
  configmaps                                      []                 []              [*]
  secrets                                         []                 []              [*]
  customresourcedefinitions.apiextensions.k8s.io  []                 []              [*]
  statefulsets.apps                               []                 []              [*]
  alertmanagers.monitoring.coreos.com/finalizers  []                 []              [*]
  alertmanagers.monitoring.coreos.com             []                 []              [*]
  prometheuses.monitoring.coreos.com/finalizers   []                 []              [*]
  prometheuses.monitoring.coreos.com              []                 []              [*]
  prometheusrules.monitoring.coreos.com           []                 []              [*]
  servicemonitors.monitoring.coreos.com           []                 []              [*]
  endpoints                                       []                 []              [get create update]
  services                                        []                 []              [get create update]
  namespaces                                      []                 []              [get list watch]
  pods                                            []                 []              [list delete]
  nodes                                           []                 []              [list watch]

现在，我正在尝试运行

curl -ik -X DELETE \
  -H "Authorization: Bearer <SERVICE_ACCOUNT_TOKEN>" \
  https://kubernetes.default.svc/apis/monitoring.coreos.com/v1/monitoring/prometheusrules/zalenium

从群集中的某个容器中的内中删除PrometheusRule。

但是我的请求没有成功，并被403拒绝了：

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "monitoring.monitoring.coreos.com \"prometheusrules\" is forbidden: User \"system:serviceaccount:monitoring:prometheus-operator-operator\" cannot delete resource \"monitoring/zalenium\" in API group \"monitoring.coreos.com\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "name": "prometheusrules",
    "group": "monitoring.coreos.com",
    "kind": "monitoring"
  },
  "code": 403
}

我是否错误地认为我的monitoring名称空间中的服务帐户应该能够在集群级别删除PrometheusRule？

对我来说，一切看起来都是正确的，而且我不明白为什么收到Forbidden回复。

Answer 1

您忘记在URI中放置名称空间

curl -ik -X DELETE \
  -H "Authorization: Bearer <SERVICE_ACCOUNT_TOKEN>" \
  https://kubernetes.default.svc/apis/monitoring.coreos.com/v1/namespaces/monitoring/prometheusrules/zalenium

使用以下命令，您可以验证是否允许对资源Y进行操作X

kubectl auth can-i delete prometheusrules --as system:serviceaccount:monitoring:prometheus-operator-operator -n monitoring

使用 -v标志，您可以提高请求的详细程度，该请求也以curl形式提供请求。