用户无法列出集群范围内的资源- Kubernetes HTTP端点

gajydyqb  于 2023-05-16  发布在  Kubernetes
关注(0)|答案(1)|浏览(118)
kubernetes v1.23.6
rancher-desktop v1.3.0

我正在尝试从Pod内部使用Kubernetes API HTTP端点。我有一个服务帐户设置,应该有权限击中API和返回数据,但我无法得到任何有用的结果。
我得到一个403禁止的元素,我认为应该访问的服务帐户。

curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://kubernetes.default.svc/api/v1/default/pods/ubuntu

其中$KUBE_TOKEN是从/var/run/secrets/kubernetes.io/serviceaccount/token读取的值
退货:

https://kubernetes.default.svc/api/v1/default/pods/ubuntu
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "default \"pods\" is forbidden: User \"system:serviceaccount:default:podkiller\" cannot get resource \"default/ubuntu\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "name": "pods",
    "kind": "default"
  },
  "code": 403

我最初有Role而不是ClusterRole,这允许我使用API,在此之前,任何请求都将返回禁止。
我看了一些其他的帖子123,但似乎都是名称空间或不绑定角色和帐户的问题,我认为我做得对。

服务账号

apiVersion: v1
kind: ServiceAccount
metadata:
  name: podkiller
automountServiceAccountToken: true

集群角色

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: podkiller
rules:
- apiGroups: [""]
  resources: ["pods","nodes"]
  verbs: ["get", "watch", "list", "delete"]

ClusterRoleBinding

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: podkiller
subjects:
- kind: ServiceAccount
  name: podkiller
  namespace: default
roleRef:
 kind: ClusterRole
 name: podkiller
 apiGroup: rbac.authorization.k8s.io

Pod

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
  labels:
    app: ubuntu
spec:
  serviceAccountName: podkiller
  automountServiceAccountToken: true
  containers:
  - image: ubuntu
    command:
      - "sleep"
      - "604800"
    imagePullPolicy: IfNotPresent
    name: ubuntu
  restartPolicy: Always
lyr7nygr

lyr7nygr1#

请问您的服务帐户podkiller位于哪个命名空间?我怀疑它不在名称空间default中,正如ClusterRoleBinding所指示的那样。将其更改为正确的命名空间可能会解决您的问题。

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: podkiller
subjects:
- kind: ServiceAccount
  name: podkiller
  namespace: default => correct namespace
roleRef:
 kind: ClusterRole
 name: podkiller
 apiGroup: rbac.authorization.k8s.io

相关问题