kubernetes - 使用 kubernetes RBAC 列出/创建 PV 失败
问题描述
我有一个可以访问应用程序命名空间之一的服务帐户。我创建了一个集群角色和角色绑定,并将其映射到该命名空间中的关联服务帐户。除了在集群级别上列出/创建 PV 之外,一切都按预期工作。可以请一些帮助。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dxf-clusterrole
rules:
-
apiGroups:
- ""
- apps
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- roles.rbac.authorization.k8s.io
- authorization.k8s.io
resources:
- secrets
- configmaps
- deployments
- endpoints
- horizontalpodautoscalers
- jobs
- limitranges
- namespaces
- nodes
- pods
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- role
- rolebindings
verbs:
- get
- watch
- list
- create
- delete
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: dxf-clusterrolebinding
namespace: dxf-uat
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dxf-clusterrole
subjects:
- kind: ServiceAccount
name: dxf-deployer
namespace: dxf-uat
用户“system:serviceaccount:dxf-uat:dxf-deployer”无法在集群范围内的 API 组“”中获取资源“persistentvolumes”
解决方案
有四个 Kubernetes 对象:Role、ClusterRole、RoleBinding和ClusterRoleBinding,我们可以使用它们来配置所需的RBAC规则。Role
和RoleBinding
是命名空间的ClusterRole
和ClusterRoleBinding
是集群范围的资源。
正如您在RoleBinding 和 ClusterRoleBinding 文档中看到的那样:
RoleBinding 授予特定命名空间内的权限,而 ClusterRoleBinding 授予访问集群范围的权限。
您的问题在于所有集群范围的资源,例如PersistentVolumes
,Nodes
等Namespaces
:
$ kubectl get nodes --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "nodes" in API group "" at the cluster scope
$ kubectl get persistentvolumes -n dxf-uat --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): persistentvolumes is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "persistentvolumes" in API group "" at the cluster scope
$ kubectl get namespaces --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "namespaces" in API group "" at the cluster scope
您需要创建一个ClusterRole
包含您希望从 访问的所有集群范围资源dxf-deployer
ServiceAccount
,然后将其绑定ClusterRole
到dxf-deployer
ServiceAccount
using ClusterRoleBinding
。
在下面的示例中,我已授予dxf-deployer
ServiceAccount
toNodes
和 的权限PersistentVolumes
:
$ cat cluster-scope-permissions.yml
# cluster-scope-permissions.yml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-scope-role
rules:
- apiGroups:
- ""
resources:
- nodes
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-scope-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-scope-role
subjects:
- kind: ServiceAccount
name: dxf-deployer
namespace: dxf-uat
最后,我们可以检查它是否按预期工作:
$ kubectl apply -f cluster-scope-permissions.yml
clusterrole.rbac.authorization.k8s.io/cluster-scope-role created
clusterrolebinding.rbac.authorization.k8s.io/cluster-scope-rolebinding created
$ kubectl get nodes --as=system:serviceaccount:dxf-uat:dxf-deployer
NAME STATUS ROLES AGE VERSION
node1 Ready <none> 5h11m v1.18.12-gke.1210
node2 Ready <none> 5h11m v1.18.12-gke.1210
$ kubectl get persistentvolumes -n dxf-uat --as=system:serviceaccount:dxf-uat:dxf-deployer
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-0ba2fd12-c883-45b8-b52d-a6c826a2775a 8Gi RWO Delete Bound default/my-jenkins standard 131m
pvc-b4b7a4c8-c9ad-4e83-b1ee-663b3e4d938b 10Gi RWO Delete Bound default/debug-pvc standard 5h12m
推荐阅读
- javascript - 以 12 小时格式显示 ETA 反应原生
- angular - Angular 防护没有按预期工作
- python - 使用 ortools 选择列表中最小的两个整数值
- api - 以“成功”状态结束的弹性搜索快照是否会丢失索引文档?
- xml - 恢复包含“<”和“>”的数据
- php - 从嵌套在 for 循环中的 if 条件返回 true 的函数
- reactjs - 在 React 中将 ByteArray 下载为 pdf /handle 错误
- angular - 使用 Angular 在 Highcharts 中显示来自 CSV 的数据
- grails - Grails distinct projection 获取不同项目的结果计数
- azure-application-insights - pageViews - 名称列(页面名称前的字母)