我创建了一个集群角色来查看其事件:
kubectl create clusterrole events-view -n my-namespace --verb get --resource events
kubectl create clusterrolebinding events-view -n my-namespace --group 'activedirectory_group://my-groups-canonical-name' --clusterrole events-view
但是当我尝试查看事件时,我得到了:
> kubectl auth can-i get events -n my-namespace
yes
> kubectl get events -n my-namespace
Error from server (Forbidden): events is forbidden: User "u-wwrp76jtem" cannot list resource "events" in API group "" in the namespace "my-namespace"
这是kubectl version的输出:
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.8", GitCommit:"ec6eb119b81be488b030e849b9e64fda4caaf33c", GitTreeState:"clean", BuildDate:"2020-03-12T21:00:06Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.4", GitCommit:"8d8aa39598534325ad77120c120a22b3a990b5ea", GitTreeState:"clean", BuildDate:"2020-03-12T20:55:23Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
答案 0 :(得分:0)
确保用户u-wwrp76jtem是组activedirectory_group://my-groups-canonical-name的一部分
您应该尝试使用以下命令来验证组权限
kubectl auth can-i get events -n my-namespace --as-group=activedirectory_group://my-groups-canonical-name