所以,就像您所说的,我创建了另一个pod,它的类型是:JOB,并包含了script.sh。
在script.sh文件中,我对主pod运行“kubectl exec”以运行几个命令
该脚本被执行,但我收到错误“Cannot Create resource”pods/exec in API group“
因此,我创建了一个具有资源[“pods/exec”]的集群角色,并使用ClusterRoleBinding将其绑定到默认服务帐户
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-account-role-binding
namespace: default
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
In the pod which is of kind:job, I include the service account like shown below
restartPolicy: Never
serviceAccountName: default
but I still get the same error. What am I doing wrong here ?Error from server (Forbidden): pods "mongo-0" is forbidden: User "system:serviceaccount:default:default" cannot create resource "pods/exec" in API group "" in the namespace "default"
1条答案
按热度按时间xbp102n01#
如果这是需要定期运行以进行维护的内容,请查看Kubernetes守护进程集对象。