我正在尝试提供一个用户,以便Grafana能够监视我的群集的资源。我遵循了Bitnami指南here。并将这些步骤实施为发现here的Ansible剧本。
Here是用户使用的ClusterRole,here是绑定到用户的方式。
但是,尽管如此,当我使用生成的证书进行配置时,Grafana仍会引发this错误。
此外,如果我尝试在用户上下文中运行任何命令,则表明我未经授权。
$> kubectl --context=grafana-prometheus-scraper get pods -n grafana
error: You must be logged in to the server (Unauthorized)
有什么想法吗?
答案 0 :(得分:1)
这就是您的ServiceAccount ClusterRole and ClusterRoleBinding的样子。
apiVersion: v1
kind: ServiceAccount
metadata:
name: grafana-prometheus-scraper
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: grafana-prometheus-scraper
rules:
- apiGroups: [""]
resources:
- configmaps
- secrets
- nodes
- pods
- services
- resourcequotas
- replicationcontrollers
- limitranges
- persistentvolumeclaims
- persistentvolumes
- namespaces
- endpoints
verbs: ["list", "watch"]
- apiGroups: ["extensions"]
resources:
- daemonsets
- deployments
- replicasets
- ingresses
verbs: ["list", "watch"]
- apiGroups: ["apps"]
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs: ["list", "watch"]
- apiGroups: ["batch"]
resources:
- cronjobs
- jobs
verbs: ["list", "watch"]
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs: ["list", "watch"]
- apiGroups: ["policy"]
resources:
- poddisruptionbudgets
verbs: ["list", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- certificatesigningrequests
verbs: ["list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources:
- storageclasses
verbs: ["list", "watch"]
- apiGroups: ["autoscaling.k8s.io"]
resources:
- verticalpodautoscalers
verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: grafana-prometheus-scraper
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: grafana-prometheus-scraper
subjects:
- kind: ServiceAccount
name: grafana-prometheus-scraper
在创建集群角色时不必指定名称空间,因为这适用于整个集群。如果要限制对特定名称空间的访问,则应使用Role和RoleBinding。
我强烈建议在“ Medium”上刊登关于Configuring RBAC For Your Kubernetes Service Accounts的非常好的文章。
答案 1 :(得分:0)
kubernetes中没有用户对象。创建一个服务帐户,并在clusterrolebinding中更新该帐户。
subjects:
- kind: User
name: grafana-prometheus-scraper