具有集群角色的Kubernetes DemonSet

vom3gejh  于 2023-05-28  发布在  Kubernetes
关注(0)|答案(1)|浏览(134)

我创建了一个python脚本来加载节点资源。通过运行以下脚本。错误是禁止的。在脚本调用之前,已经调用了config.load_incluster_config()

脚本:

def fetch_node_resource(cls, node_name: str) -> Resources:
        # config.load_kube_config()
        api_client = client.CoreV1Api()
        node = api_client.read_node(node_name)

        # Fetch all node resources
        capacity: dict = node.status.capacity

        cpu_capacity = Maybe.from_optional(capacity.get("cpu", Nothing))

        memory_capacity = Maybe.from_optional(capacity.get("memory", Nothing))

        network_bandwidth_capacity = Maybe.from_optional(
            capacity.get("network_bandwidth", Nothing)
        )

        gpu_capacity = Maybe.from_optional(capacity.get("nvidia.com/gpu", Nothing))

        return Resources(
            cpu=cpu_capacity,
            gpu=gpu_capacity,
            memory=memory_capacity,
            net_bandwidth=network_bandwidth_capacity,
        )

错误:

"node-exporter-simulator-sbcqr\" is forbidden: User \"system:serviceaccount:monitoring:node-exporter-simulator-account\" cannot get resource \"nodes\" in API group

服务帐户被赋予CLusterRole & binded。脚本本身作为DaemonSet运行。

爆破:

{{- if .Values.nodeExporterSimulator.enabled }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-exporter-simulator
  namespace: {{ .Values.namespace }}
  labels:
    app: node-exporter-simulator
spec:
  selector:
    matchLabels:
      app: node-exporter-simulator
  template:
    metadata:
      labels:
        app: node-exporter-simulator
    spec:
      serviceAccountName: node-exporter-simulator-account
      containers:
        - name: metrics-generator
          image: dev0guy/node-exporter-simulator:v0.0.5
          env:
            - name: PROMETHEUS_GATEWAY_URL
              value: "pushgateway:9091"
            - name: PUSH_INTERVAL
              value:  {{ .Values.nodeExporterSimulator.interval }}
{{- end }}

角色:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: node-exporter-simulator-account
  namespace: {{ .Values.namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-exporter-simulator-role
rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: node-exporter-simulator-binding
  namespace: {{ .Values.namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: node-exporter-simulator-role
subjects:
- kind: ServiceAccount
  name: node-exporter-simulator-account
  namespace: {{ .Values.namespace }}

我已经运行helm install命令如何以往我总是得到403禁止错误。我已经kubectl描述了所有的资源,但他们似乎都是正确的。
如以前有没有人解决过这个问题,或者有什么建议?

编辑:

问题已修复,存在名称错误。(没有给出帐户服务的相同名称)。但是问题是我需要得到节点名,而不是pod名

xwbd5t1u

xwbd5t1u1#

首先,我通过节点名进行搜索,但实际上是pod主机名。修复后,我在daemonset中传递了一个pod名称及其名称空间。但是,我没有将pod添加到集群角色中。

相关问题