我有一个Kubernetes集群(v1.14.10),其中包含Kubernetes入口控制器(quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0)。当我尝试将IC更新到0.30.0时,在nginx pod中出现以下日志消息:error updating ingress rule: ingresses.networking.k8s.io "test" is forbidden: User "system:serviceaccount:ingress:nginx" cannot update resource "ingresses/status" in API group "networking.k8s.io" in the namespace "test"
群集角色绑定和nginx的角色包含以下权限:
# kubectl describe clusterrolebinding nginx-role
Name: nginx-role
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: nginx-role
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount nginx ingress
# kubectl describe clusterrole nginx-role
Name: nginx-role
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
events [] [] [create patch]
services [] [] [get list update watch]
ingresses.extensions [] [] [get list watch update]
ingresses.networking.k8s.io [] [] [get list watch]
namespaces [] [] [get update]
configmaps [] [] [list watch get create update]
nodes [] [] [list watch get]
endpoints [] [] [list watch]
pods [] [] [list watch]
secrets [] [] [list watch]
ingresses.extensions/status [] [] [update]
ingresses.networking.k8s.io/status [] [] [update]
入口配置包含以下apiVersion,我不知道这是否是由于新的networking.k8s.io/v1beta1软件包([4127] https://github.com/kubernetes/ingress-nginx/pull/4127)引起的问题
api版本:扩展/v1 beta1类型:入口
您能告诉我这是kubernetes入口配置还是集群角色问题吗?谢谢。
1条答案
按热度按时间2wnc66cl1#
这个问题有点老了,但是为了防止其他人在查找错误消息时发现这个问题,我通过将
networking.k8s.io
API组 * 添加到nginx role配置中的 * ingress/status 资源来解决这个问题。样品:
这个错误很好地描述了这个问题,如果资源
"ingresses/status"
缺少API组"networking.k8s.io"
,你也可能在其他资源上遇到这个问题,修复方法是类似的。至于原因,我相信这是Kubernetes的更新问题。