Kubernetes ServiceAccount无法列出某些资源(K8s 1.24)

ncgqoxb0  于 2023-10-17  发布在  Kubernetes
关注(0)|答案(1)|浏览(164)

我的服务帐户无法列出某些资源,即使角色和角色绑定具有足够的权限。
我看到这个错误

2023-09-08T15:30:21.875Z    INFO    controller  k8s.io/[email protected]/tools/cache/reflector.go:169: 
failed to list *v1.Lease: leases.coordination.k8s.io is forbidden: User "system:serviceaccount:karpenter:karpenter" 
cannot list resource "leases" in API group "coordination.k8s.io" 
in the namespace "kube-node-lease"

当我检查服务帐户身份验证时,我看到以下错误。

➜  ~ kubectl auth  can-i get leases --as system:serviceaccount:karpenter:karpenter
error: You must be logged in to the server (the server has asked for the client to provide credentials (post selfsubjectaccessreviews.authorization.k8s.io))

角色/角色约束

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: karpenter-lease
  namespace: kube-node-lease
  labels:
    helm.sh/chart: karpenter-v0.30.0
    app.kubernetes.io/name: karpenter
    app.kubernetes.io/instance: karpenter
    app.kubernetes.io/version: "0.30.0"
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: karpenter-lease
subjects:
  - kind: ServiceAccount
    name: karpenter
    namespace: karpenter
---
# Source: karpenter/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: karpenter-lease
  namespace: kube-node-lease
  labels:
    helm.sh/chart: karpenter-v0.30.0
    app.kubernetes.io/name: karpenter
    app.kubernetes.io/instance: karpenter
    app.kubernetes.io/version: "0.30.0"
    app.kubernetes.io/managed-by: Helm
rules:
  # Read
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "list", "watch"]
  # Write
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["delete"]

AFAR,K8s 1.24在服务帐户令牌方面有一些突破性的变化,这就是为什么,我还为服务帐户创建了一个令牌,但它似乎不起作用。

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: karpenter
  annotations:
    kubernetes.io/service-account.name: karpenter
type: kubernetes.io/service-account-token
EOF

你们有没有遇到过这样的问题?
谢谢你的帮助

jtjikinw

jtjikinw1#

要进行调试,您应该首先确保Secret和serviceaccount对象位于Karpenter命名空间中,因为根据您提供的secret的yaml清单,没有命名空间字段。
还有一件事,根据命令,它看起来不好,你必须指定命名空间:

kubectl auth can-i get leases --as system:serviceaccount:karpenter:karpenter \ 
--namespace kube-node-lease

根据第二个错误error: You must be logged in to the server (the server has asked for the client to provide credentials (post selfsubjectaccessreviews.authorization.k8s.io))
这是一个非常常见的一般性错误,与针对API服务器的身份验证问题有关。
因此,请确保您登录到正确的上下文,以检查您可以运行任何其他命令来验证,例如:

kubectl config current-context #to view your current context
kubectl get rolebinding,role, sa --namespace karpenter

相关问题