我搞不懂我有以下设置:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: alb-ingress-controller
name: alb-ingress-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: alb-ingress-controller
name: alb-ingress-controller
rules:
- apiGroups:
- ""
- extensions
resources:
- configmaps
- endpoints
- events
- ingresses
- ingresses/status
- services
verbs:
- create
- get
- list
- update
- watch
- patch
- apiGroups:
- ""
- extensions
resources:
- nodes
- pods
- secrets
- services
- namespaces
verbs:
- get
- list
- watch
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: alb-ingress-controller
name: alb-ingress-controller
# Namespace the ALB Ingress Controller should run in. Does not impact which
# namespaces it's able to resolve ingress resource for. For limiting ingress
# namespace scope, see --watch-namespace.
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: alb-ingress-controller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: alb-ingress-controller
spec:
containers:
- args:
# Limit the namespace where this ALB Ingress Controller deployment will
# resolve ingress resources. If left commented, all namespaces are used.
# - --watch-namespace=your-k8s-namespace
# Setting the ingress-class flag below ensures that only ingress resources with the
# annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may
# choose any class you'd like for this controller to respect.
- --ingress-class=alb
# Name of your cluster. Used when naming resources created
# by the ALB Ingress Controller, providing distinction between
# clusters.
- --cluster-name=kubernetes.someclustername.com
# AWS VPC ID this ingress controller will use to create AWS resources.
# If unspecified, it will be discovered from ec2metadata.
- --aws-vpc-id=vpc-somevpc
# AWS region this ingress controller will operate in.
# If unspecified, it will be discovered from ec2metadata.
# List of regions: http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region
- --aws-region=us-east-1
# Enables logging on all outbound requests sent to the AWS API.
# If logging is desired, set to true.
# - ---aws-api-debug
# Maximum number of times to retry the aws calls.
# defaults to 10.
# - --aws-max-retries=10
env:
# AWS key id for authenticating with the AWS API.
# This is only here for examples. It's recommended you instead use
# a project like kube2iam for granting access.
# - name: ${AWS_SECRET_ACCESS_KEY}
# value: ${AWS_ACCESS_KEY_ID}
- name: AWS_ACCESS_KEY_ID
value: redacted
# AWS key secret for authenticating with the AWS API.
# This is only here for examples. It's recommended you instead use
# a project like kube2iam for granting access.
- name: AWS_SECRET_ACCESS_KEY
value: redacted
# Repository location of the ALB Ingress Controller.
#
#image: docker.io/amazon/aws-alb-ingress-controller:v1.1.0
#https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/
#image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.3
#
image: docker.io/amazon/aws-alb-ingress-controller:v2.4.5
imagePullPolicy: Always
name: server
resources: {}
terminationMessagePath: /dev/termination-log
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
serviceAccountName: alb-ingress-controller
serviceAccount: alb-ingress-controller字符串
alb日志显示:pkg/mod/k8s.io/client-go@v0.21.4/tools/cache/reflector.go:167:无法观看 *v1.Pod:无法列出 *v1.Pod:pod是禁止的:用户“system:serviceaccount:kube-system:alb-ingress-controller”无法列出集群范围内API组“”中的资源“pod”
1条答案
按热度按时间vwhgwdsa1#
您缺少一个
ClusterRoleBinding,无法将ClusterRole分配给ServiceAccount。字符串
参考:https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding