kubernetes - 如何从 POD A 执行 shell 脚本到另一个 POD B

问题描述

我有两个在 kubernetes 集群内运行的 pod。豆荚如下

1. mongodb pod 类型：StatefulSet
2. 脚本 pod 类型：Job

从script pod我正在运行要在mongodb pod.

bash 脚本包含以下代码，这些代码执行到 mongodb pod 并执行以下命令。

kubectl exec mongo-0 -c mongo -- mongo --eval 'rs.initiate({_id: "rs0", version: 1, members: [ {_id: 0, host: "mongo-0.mongo.default.svc.cluster.local:27017"}, {_id: 1, host: "mongo-1.mongo.default.svc.cluster.local:27017"}, {_id: 2, host: "mongo-2.mongo.default.svc.cluster.local:27017"} ]});'

但是当我运行时script pod，出现以下错误

Error from server (Forbidden): pods "mongo-0" is forbidden: User "system:serviceaccount:default:default" cannot create resource "pods/exec" in API group "" in the namespace "default"

我应该怎么做才能为script pod在 mongodb pod 中运行上述命令提供权限？

所以就像你说的，我创建了另一个 pod，它是 kind:job 并包含 script.sh。

在 script.sh 文件中，我对主 pod 运行“kubectl exec”以运行一些命令

脚本被执行，但我收到错误“无法在 API 组中创建资源“pods/exec”

所以我创建了一个带有资源的集群角色： ["pods/exec"] 并使用 ClusterRoleBinding 将其绑定到默认服务帐户

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]

--- 

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: service-account-role-binding
  namespace: default
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default
roleRef:
  kind: ClusterRole
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: default


In the pod which is of kind:job, I include the service account like shown below

restartPolicy: Never
serviceAccountName: default

but I still get the same error. What am I doing wrong here ?

Error from server (Forbidden): pods "mongo-0" is forbidden: User "system:serviceaccount:default:default" cannot create resource "pods/exec" in API group "" in the namespace "default"

标签： kuberneteskubernetes-podkubernetes-rbac