时间戳

首页 > 解决方案 > 默认用户禁止创建命名空间,尝试为 EKS 安装 meshery

kubernetes - 默认用户禁止创建命名空间,尝试为 EKS 安装 meshery

问题描述

我执行了以下命令:

kubectl create namespace meshery

我收到如下错误:

Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:default:default" cannot create resource "namespaces" in API group "" at the cluster scope

我之前执行的步骤如下:

[ec2-user@ip-10-0-0-43 ~]$ kubectl create serviceaccount meshery
Error from server (AlreadyExists): serviceaccounts "meshery" already exists
[ec2-user@ip-10-0-0-43 ~]$ kubectl create clusterrolebinding meshery-binding --clusterrole=cluster-admin \
>  --serviceaccount=default:meshery
error: failed to create clusterrolebinding: clusterrolebindings.rbac.authorization.k8s.io "meshery-binding" already exists
[ec2-user@ip-10-0-0-43 ~]$ kubectl get secrets
NAME                               TYPE                                  DATA   AGE
bookinfo-details-token-tm654       kubernetes.io/service-account-token   3      40h
bookinfo-productpage-token-lr9zq   kubernetes.io/service-account-token   3      40h
bookinfo-ratings-token-2gc5h       kubernetes.io/service-account-token   3      40h
bookinfo-reviews-token-8k76p       kubernetes.io/service-account-token   3      40h
default-token-zwx6k                kubernetes.io/service-account-token   3      3d
meshery-token-x94qk                kubernetes.io/service-account-token   3      3d
[ec2-user@ip-10-0-0-43 ~]$ kubectl describe secret default-token-zwx6k
Name:         default-token-zwx6k
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: default
              kubernetes.io/service-account.uid: 33a3496d-db4c-4fb3-b634-204560210f90

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IlJ4RV82SFR1Q3ltQVp2dHZBMEpNd2RkaTVqM2hQOHB3SURIZDRoVW9lRGcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tend4NmsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzYTM0OTZkLWRiNGMtNGZiMy1iNjM0LTIwNDU2MDIxMGY5MCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.TdvS4w0i0ky4dWoqrCL4PrggkpbdxlwqAhPpVQuItqCIPThB_IbCbve6KCMKSePNhO6Kw_TV9TiCiZMSzoqc0T_4PnrAcj48IafKi8_JbcNACeoR7KbSNnYigL8Ou1uQFmcM2Wu2FVjaaCg1tVUC4T0oCPH9MQLnyXIbs7lZk6Ip0Cu0qm-86XyyRSdg5m6qc9FkJqZJfiu65EOmNZhhDbx452PmZ4Ag73WcJKCTDMfZBDq5FiQM4eZtpgTjFec0980JpoBqQppVYOyjSh5sjKqkJNo-BcRDiVcAJRM23gDF5Xu4OABvWX3-cgpwb0cdZ0Xx-RK3xomzSu2Qstn5pw
[ec2-user@ip-10-0-0-43 ~]$ kubectl config set-credentials meshery --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IlJ4RV82SFR1Q3ltQVp2dHZBMEpNd2RkaTVqM2hQOHB3SURIZDRoVW9lRGcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tend4NmsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzYTM0OTZkLWRiNGMtNGZiMy1iNjM0LTIwNDU2MDIxMGY5MCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.TdvS4w0i0ky4dWoqrCL4PrggkpbdxlwqAhPpVQuItqCIPThB_IbCbve6KCMKSePNhO6Kw_TV9TiCiZMSzoqc0T_4PnrAcj48IafKi8_JbcNACeoR7KbSNnYigL8Ou1uQFmcM2Wu2FVjaaCg1tVUC4T0oCPH9MQLnyXIbs7lZk6Ip0Cu0qm-86XyyRSdg5m6qc9FkJqZJfiu65EOmNZhhDbx452PmZ4Ag73WcJKCTDMfZBDq5FiQM4eZtpgTjFec0980JpoBqQppVYOyjSh5sjKqkJNo-BcRDiVcAJRM23gDF5Xu4OABvWX3-cgpwb0cdZ0Xx-RK3xomzSu2Qstn5pw
User "meshery" set.
[ec2-user@ip-10-0-0-43 ~]$ kubectl config set-context --current --user=meshery
Context "arn:aws:eks:us-east-1:632078958246:cluster/icluster1" modified.
[ec2-user@ip-10-0-0-43 ~]$ kubectl config view --minify --flatten >  config_aws_eks.yaml
[ec2-user@ip-10-0-0-43 ~]$ cat config_aws_eks.yaml
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01URXhOVEF6TXpNeU0xb1hEVE13TVRFeE16QXpNek15TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXl0ClorVkI5am13WnNtL1l0TEpVRTB1aWhsWXdiangwcWdpQnNuSE8yKzhOZCtDSTZBS2prM2FsOTFTbWtGZGRsWngKSmY2eXBRTXBsTzVTeko4akpWQWVSMFVoa01vVFJnUDZFR2JRQWZvaFFleG1uMGlneWhnYjV1bGY0WFpTWUN4cwpSMVNJVXpXUVNDcFNEdmkxSDNaSFFVdUFQVkE3cytPYlZZMXIvU3FPVE1nYlVxZFduRXBSbkRzbzNpbXNRemljCk80Q1NtMU9jQXl3eUNqWjNLcHRzUWY1eFpoUytwT1FPbmJ2cWRXRVBCNHBFK29zNGxtZFNOKy81ZU5xaFh4SysKYW5hT2NyMGo5anZVa2VObmc0Z3JsQXFCb3FXL0FCdHhudmlXYmYvd2hYRm5NTUluSDV3dFN6aUhpd0E3TlVPVwpzYTJ2Yk8xcHNQOGlIQkQ2SHYwQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdWJ4dzJhb2RPWFZCU3ZPdGtuYUJOYkxYL1QKdk5lNWhvcWVjT3pPTFdlcWs4RGdqbldtUUpXT3VFQjBBNEtRRys2WTcvem1qTWJTRG9mbGNqd1pNRWp0VHFSagpDSnNXVnV6b0dtVWVoN29PaUgyTkFtSHVzcFc2N0oxdVZnWFYrVG55Nld5YnhuTjdIQWhTcHlIWUZ2MERySVhxCkZJVWdxOTJBWFJVMklPTld3Wk1HOUY0QndqUEt0QU0ranU3RUNFWXo0SGhHSjlNa01ZcXUvMFlOa3FoNU84cjEKSGpvWDZyRTNqWlE0d0NvMkkrZ1UrRE1RRmsyVGdvb1NMWXBUT2pnaHBGWXlRRTNUMlZBaGdYZnVsMXVZZitmNQoycTl1cTEybWE4RmpFUmRteXp3cy9Jb3UxTElZR1AxdVlmSkc5aDkxZDZpbTRwS1hUTkhGRERJU1NIaz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://BE1866C372B4FCB9E011E90A2BA78F79.gr7.us-east-1.eks.amazonaws.com
  name: arn:aws:eks:us-east-1:632078958246:cluster/icluster1
contexts:
- context:
    cluster: arn:aws:eks:us-east-1:632078958246:cluster/icluster1
    user: meshery
  name: arn:aws:eks:us-east-1:632078958246:cluster/icluster1
current-context: arn:aws:eks:us-east-1:632078958246:cluster/icluster1
kind: Config
preferences: {}
users:
- name: meshery
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlJ4RV82SFR1Q3ltQVp2dHZBMEpNd2RkaTVqM2hQOHB3SURIZDRoVW9lRGcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tend4NmsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzYTM0OTZkLWRiNGMtNGZiMy1iNjM0LTIwNDU2MDIxMGY5MCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.TdvS4w0i0ky4dWoqrCL4PrggkpbdxlwqAhPpVQuItqCIPThB_IbCbve6KCMKSePNhO6Kw_TV9TiCiZMSzoqc0T_4PnrAcj48IafKi8_JbcNACeoR7KbSNnYigL8Ou1uQFmcM2Wu2FVjaaCg1tVUC4T0oCPH9MQLnyXIbs7lZk6Ip0Cu0qm-86XyyRSdg5m6qc9FkJqZJfiu65EOmNZhhDbx452PmZ4Ag73WcJKCTDMfZBDq5FiQM4eZtpgTjFec0980JpoBqQppVYOyjSh5sjKqkJNo-BcRDiVcAJRM23gDF5Xu4OABvWX3-cgpwb0cdZ0Xx-RK3xomzSu2Qstn5pw

要完成的目标: 为 EKS 集群安装和配置 Meshery。

参考链接:

  1. https://meshery.layer5.io/docs/installation/platforms/eks
  2. https://github.com/layer5io/meshery/blob/master/docs/pages/installation/kubernetes.md

编辑:我根据您的建议设置了 kube 上下文,但仍然没有到达那里:

[ec2-user@ip-10-0-0-43 ~]$ kubectl get users
Please enter Username:

[ec2-user@ip-10-0-0-43 ~]$ kubectl get ns
Please enter Username:

标签: kubernetesamazon-eksservicemesh

解决方案

我已按照您的步骤和您提供的说明进行操作,并且设法重现了您的问题:

➜  ~ kubectl create namespace meshery

Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:default:meshery" cannot create resource "namespaces" in API group "" at the cluster scope

切换回上下文确实允许我创建所需的命名空间,从而得出meshery角色设置不正确的结论:

    ➜  ~ kubectl config set-context --current --user=minikube
    Context "minikube" modified.
    ➜  ~ kubectl create namespace meshery                    
    
    namespace/meshery created

仔细查看问题后,我发现其中ClusterRole引用的名称ClusterRoleBinding不正确,并且在名称中引用了 serviceaccount ClusterRole


    ➜  ~ kubectl get clusterrolebinding meshery-binding -oyaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      managedFields:
      - apiVersion: rbac.authorization.k8s.io/v1
        manager: kubectl-create
        operation: Update
      name: meshery-binding
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin--serviceaccount=default:meshery

这意味着文档中的命令编写不正确,因为cluster-admin和之间应该有空格--serviceaccount=default:meshery

kubectl create clusterrolebinding meshery-binding --clusterrole=cluster-admin\--serviceaccount=default:meshery

一旦我纠正了空间:

kubectl create clusterrolebinding meshery-binding --clusterrole=cluster-admin --serviceaccount=default:meshery

你可以看到ClusterRoleBinding现在看起来是正确的:


➜  ~ kubectl get clusterrolebinding meshery-binding -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    manager: kubectl-create
    operation: Update
  name: meshery-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: meshery
  namespace: default

现在切换上下文以meshery按预期工作:

➜  ~ kubectl config set-context --current --user=meshery 
Context "minikube" modified.

➜  ~ kubectl create namespace meshery 
namespace/meshery created

推荐阅读