Kubernetes ServiceAccount无法列出节点

p1tboqfb 于 2023-04-29 发布在 Kubernetes

关注(0)|答案(1)|浏览(153)

我正在尝试给予我的服务帐户foo权限，以获取群集上的节点列表（通过kubectl get nodes）。我创建了一个clusterrole和一个具有以下权限的角色绑定：

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
 name: foo-cluster-role
rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]

当我使用该服务帐户运行pod时，我无法运行kubectl get nodes：

root@debugger:/# kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:default:foo" cannot list resource "nodes" in API group "" at the cluster scope

奇怪的是，当我通过kubectl auth can-i询问时，它告诉我应该有访问权限：

root@debugger:/# kubectl auth can-i get nodes
Warning: resource 'nodes' is not namespace scoped
yes

如何设置我的服务帐户，以便能够列出群集上的节点？

edit* clusterrolebinding看起来像这样：

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: foo-binding
subjects:
- kind: ServiceAccount
  name: foo
roleRef:
  kind: ClusterRole
  name: foo-cluster-role
  apiGroup: ""

kubernetes

来源：https://stackoverflow.com/questions/61552647/kubernetes-serviceaccount-cannot-list-nodes

1条答案

按热度按时间

oymdgrw71#

你必须创建ClusterRoleBinding。请检查以下内容。

apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: foo-cluster-role
    rules:
    - apiGroups: [""]
      resources: ["nodes"]
      verbs: ["get", "watch", "list"]
    
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: foo-binding
    subjects:
    - kind: ServiceAccount
      name: foo
      namespace: default
    roleRef:
      kind: ClusterRole
      name: foo-cluster-role
      apiGroup: rbac.authorization.k8s.io

赞(0）回复(0）举报 2023-04-29

我来回答

Kubernetes ServiceAccount无法列出节点

1条答案

相关问题

热门标签

最新问答