kubernetes v1.23.6
rancher-desktop v1.3.0
我正在尝试从Pod内部使用Kubernetes API HTTP端点。我有一个服务帐户设置,应该有权限击中API和返回数据,但我无法得到任何有用的结果。
我得到一个403禁止的元素,我认为应该访问的服务帐户。
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://kubernetes.default.svc/api/v1/default/pods/ubuntu
其中$KUBE_TOKEN是从/var/run/secrets/kubernetes.io/serviceaccount/token
读取的值
退货:
https://kubernetes.default.svc/api/v1/default/pods/ubuntu
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "default \"pods\" is forbidden: User \"system:serviceaccount:default:podkiller\" cannot get resource \"default/ubuntu\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"name": "pods",
"kind": "default"
},
"code": 403
我最初有Role
而不是ClusterRole
,这允许我使用API,在此之前,任何请求都将返回禁止。
我看了一些其他的帖子123,但似乎都是名称空间或不绑定角色和帐户的问题,我认为我做得对。
服务账号
apiVersion: v1
kind: ServiceAccount
metadata:
name: podkiller
automountServiceAccountToken: true
集群角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: podkiller
rules:
- apiGroups: [""]
resources: ["pods","nodes"]
verbs: ["get", "watch", "list", "delete"]
ClusterRoleBinding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: podkiller
subjects:
- kind: ServiceAccount
name: podkiller
namespace: default
roleRef:
kind: ClusterRole
name: podkiller
apiGroup: rbac.authorization.k8s.io
Pod
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
labels:
app: ubuntu
spec:
serviceAccountName: podkiller
automountServiceAccountToken: true
containers:
- image: ubuntu
command:
- "sleep"
- "604800"
imagePullPolicy: IfNotPresent
name: ubuntu
restartPolicy: Always
1条答案
按热度按时间lyr7nygr1#
请问您的服务帐户podkiller位于哪个命名空间?我怀疑它不在名称空间
default
中,正如ClusterRoleBinding所指示的那样。将其更改为正确的命名空间可能会解决您的问题。