kubernetes - 如何为 Kubernetes 集群中的所有命名空间创建服务帐户？

问题描述

所以我有命名空间

ns1、ns2、ns3 和 ns4。

我在 ns1 中有一个服务帐户 sa1。我正在将 pod 部署到使用 sa1 的 ns2、ns4。当我查看日志时，它告诉我找不到 ns2 中的 sa1。

错误：

创建错误：pod“web-test-2-795f5fd489-”被禁止：查找服务帐户 ns2/sa 时出错：找不到服务帐户“sa”

有没有办法使服务帐户集群范围广泛？或者，我可以使用相同的密钥创建多个服务帐户吗？在不同的命名空间？

标签： kubernetes

你可以用那个

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubernetes-enforce
rules:
- apiGroups: ["apps"]
  resources: ["deployments","pods","daemonsets"]
  verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["*"]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
    
--- 
apiVersion: v1
kind: ServiceAccount

metadata:
  name: kubernetes-enforce
  namespace: kube-system
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-logging
  namespace: cattle-logging
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-prome
  namespace: cattle-prometheus
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-system
  namespace: cattle-system
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-default
  namespace: default
roleRef: 
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system

kubernetes - 如何为 Kubernetes 集群中的所有命名空间创建服务帐户？

问题描述

解决方案

推荐阅读