kubernetes - Kubernetes 仪表板错误消息:禁止配置映射:用户“system:serviceaccount:kube-system:deployment-controller”无法列出资源
问题描述
Kubernetes 仪表板输出一堆错误消息。
你应该忽略它们吗?如果没有,你如何修复它们?
warning
configmaps is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "configmaps" in API group "" in the namespace "default"
warning
persistentvolumeclaims is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "persistentvolumeclaims" in API group "" in the namespace "default"
warning
secrets is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "secrets" in API group "" in the namespace "default"
warning
services is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "services" in API group "" in the namespace "default"
warning
ingresses.extensions is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "ingresses" in API group "extensions" in the namespace "default"
warning
daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "daemonsets" in API group "apps" in the namespace "default"
warning
events is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "events" in API group "" in the namespace "default"
warning
jobs.batch is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "jobs" in API group "batch" in the namespace "default"
warning
cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "cronjobs" in API group "batch" in the namespace "default"
warning
replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "replicationcontrollers" in API group "" in the namespace "default"
warning
statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:deployment-controller" cannot list resource "statefulsets" in API group "apps" in the namespace "default"
解决方案
看起来您的集群启用了 RBAC,并且部署控制器缺少部署控制器 pod 中定义的服务帐户。您应该能够通过添加此 SA 及其角色/绑定轻松缓解此问题。
有两种方法可以做到。
您可以通过 CLI 或 YAML 方式使用简单的一行创建绑定:
$ kubectl create clusterrolebinding deployment-controller --clusterrole=cluster-admin --serviceaccount=kube-system:deployment-controller
如果你想在YAML文件中定义ClusterRoleBinding - 创建下面的文件,用一些名字说并执行特定的命令:dashboard-rb.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: deployment-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: deployment-controller
namespace: kube-system
$ kubectl create -f dashboard-rb.yaml
看看:kubernetes-dashboard-access-warnings, access -rbac-enabled-kubernetes-dashboard, k8s-crb-warning,kubernetes-dashboard-is-forbidden-all-over-the-site。
推荐阅读
- sql - 如何在 SQL Server SELECT 语句中获取先前的值
- r - 在函数中使用 geoms
- python - 使用 OpenAPI 接收多部分消息中的文件
- python - 如何在django中设置主键的初始值
- tsql - SQL Server如何判断一个值是否改变
- php - 缺少 MongoDB\驱动程序文件 (PHP)
- c# - TreeViewItem DataTemplate LostFocus 事件中的文本框未触发
- git - 我可以接受乱序的 Git 拉取请求吗?
- c# - 使用 IoT 中心发送 C2D 消息时无法设置 ExpiryTimeUtc 字段
- postman - 邮递员覆盖响应类型