我有一个守护进程在我的 kubernetes 集群上运行,它的目的是接受 gRPC 请求并将这些请求转换为用于在 k8s 集群中创建、删除和查看 pod 的命令。在集群中作为服务运行,通过 helm 进行部署。
舵图为守护进程“tass-daemon”创建一个服务帐户,并赋予它一个集群角色,该角色应该允许它操作特定命名空间“tass-arrays”中的 Pod。
但是,我发现服务帐户似乎不起作用,我的守护进程在尝试联系 K8S API 服务器时报告权限错误:
2021/03/04 21:17:48 pods is forbidden: User "system:serviceaccount:default:tass-daemon" cannot list resource "pods" in API group "" in the namespace "tass-arrays"
如果我使用带有手动添加的集群角色的默认服务帐户,我确认代码有效,但尝试通过舵图进行设置似乎不起作用。
但是,如果我将 tass-daemon clusterrole 与 admin 的集群角色进行比较(后者显然有权操作所有命名空间中的 pod),它们似乎是相同的:
[maintainer@headnode helm]$ kubectl describe clusterrole admin | grep -i pods
pods [] [] [create delete deletecollection patch update get list watch]
pods/attach [] [] [get list watch create delete deletecollection patch update]
pods/exec [] [] [get list watch create delete deletecollection patch update]
pods/portforward [] [] [get list watch create delete deletecollection patch update]
pods/proxy [] [] [get list watch create delete deletecollection patch update]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
[maintainer@headnode helm]$ kubectl describe clusterrole tass-daemon | grep -i pods
pods/attach [] [] [create delete deletecollection patch update get list watch]
pods [] [] [create delete deletecollection patch update get list watch]
pods.apps [] [] [create delete deletecollection patch update get list watch]
pods/status [] [] [get list watch]
基于此设置,我希望 tass-daemon 服务帐户具有适当的 pod 管理权限。
以下是我的掌舵图中的 clusterrole.yaml:
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: {{ template "tass-daemon.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "tass-daemon.fullname" . }}
namespace: "tass-arrays"
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create delete deletecollection patch update get list watch
- apiGroups:
- ""
resources:
- pods/attach
verbs:
- create delete deletecollection patch update get list watch
- apiGroups:
- ""
resources:
- pods/status
verbs:
- get list watch
- apiGroups:
- apps
还有我的 clusterrolebinding.yaml:
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: {{ template "tass-daemon.name" .}}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "tass-daemon.fullname" . }}
namespace: "tass-arrays"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "tass-daemon.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "tass-daemon.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}
如果我将 roleRef 名称更改为“admin”,它会起作用,但 admin 比我们希望的更宽容。
最后是我的 serviceaccount.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: {{ template "tass-daemon.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "tass-daemon.fullname" . }}
显然我做错了什么,那么配置集群角色以便我的守护进程可以操作“tass-arrays”命名空间中的 Pod 的正确方法是什么?
答案 0 :(得分:1)
正如我在评论部分提到的,apiVersion rbac.authorization.k8s.io/v1beta1 被弃用,而是使用 rbac.authorization.k8s.io/v1 代替。
API v1 是稳定的。如果可能,您应该使用稳定版本。
阅读更多:rbac-kubernetes。
关于 RBAC 的问题,您的 ClusterRole 下面规则部分的一部分应如下所示:
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]