我的服务帐户无法列出某些资源,即使角色和角色绑定具有足够的权限。
我看到这个错误
2023-09-08T15:30:21.875Z INFO controller k8s.io/[email protected]/tools/cache/reflector.go:169:
failed to list *v1.Lease: leases.coordination.k8s.io is forbidden: User "system:serviceaccount:karpenter:karpenter"
cannot list resource "leases" in API group "coordination.k8s.io"
in the namespace "kube-node-lease"
当我检查服务帐户身份验证时,我看到以下错误。
➜ ~ kubectl auth can-i get leases --as system:serviceaccount:karpenter:karpenter
error: You must be logged in to the server (the server has asked for the client to provide credentials (post selfsubjectaccessreviews.authorization.k8s.io))
角色/角色约束
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: karpenter-lease
namespace: kube-node-lease
labels:
helm.sh/chart: karpenter-v0.30.0
app.kubernetes.io/name: karpenter
app.kubernetes.io/instance: karpenter
app.kubernetes.io/version: "0.30.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: karpenter-lease
subjects:
- kind: ServiceAccount
name: karpenter
namespace: karpenter
---
# Source: karpenter/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: karpenter-lease
namespace: kube-node-lease
labels:
helm.sh/chart: karpenter-v0.30.0
app.kubernetes.io/name: karpenter
app.kubernetes.io/instance: karpenter
app.kubernetes.io/version: "0.30.0"
app.kubernetes.io/managed-by: Helm
rules:
# Read
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch"]
# Write
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["delete"]
AFAR,K8s 1.24在服务帐户令牌方面有一些突破性的变化,这就是为什么,我还为服务帐户创建了一个令牌,但它似乎不起作用。
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: karpenter
annotations:
kubernetes.io/service-account.name: karpenter
type: kubernetes.io/service-account-token
EOF
你们有没有遇到过这样的问题?
谢谢你的帮助
1条答案
按热度按时间jtjikinw1#
要进行调试,您应该首先确保Secret和serviceaccount对象位于
Karpenter
命名空间中,因为根据您提供的secret的yaml清单,没有命名空间字段。还有一件事,根据命令,它看起来不好,你必须指定命名空间:
根据第二个错误
error: You must be logged in to the server (the server has asked for the client to provide credentials (post selfsubjectaccessreviews.authorization.k8s.io))
:这是一个非常常见的一般性错误,与针对API服务器的身份验证问题有关。
因此,请确保您登录到正确的上下文,以检查您可以运行任何其他命令来验证,例如: