kubernetes - 使用 kubernetes RBAC 列出/创建 PV 失败

有四个 Kubernetes 对象：Role、ClusterRole、RoleBinding和ClusterRoleBinding，我们可以使用它们来配置所需的RBAC规则。Role和RoleBinding是命名空间的ClusterRole和ClusterRoleBinding是集群范围的资源。

正如您在RoleBinding 和 ClusterRoleBinding 文档中看到的那样：

RoleBinding 授予特定命名空间内的权限，而 ClusterRoleBinding 授予访问集群范围的权限。

您的问题在于所有集群范围的资源，例如PersistentVolumes,Nodes等Namespaces：

$ kubectl get nodes --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "nodes" in API group "" at the cluster scope

$ kubectl get persistentvolumes -n dxf-uat --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): persistentvolumes is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "persistentvolumes" in API group "" at the cluster scope

$ kubectl get namespaces --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "namespaces" in API group "" at the cluster scope

您需要创建一个ClusterRole包含您希望从 访问的所有集群范围资源dxf-deployer ServiceAccount，然后将其绑定ClusterRole到dxf-deployer ServiceAccountusing ClusterRoleBinding。

在下面的示例中，我已授予dxf-deployer ServiceAccounttoNodes和 的权限PersistentVolumes：

$ cat cluster-scope-permissions.yml
# cluster-scope-permissions.yml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-scope-role
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
  - create
  - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-scope-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-scope-role
subjects:
- kind: ServiceAccount
  name: dxf-deployer
  namespace: dxf-uat

最后，我们可以检查它是否按预期工作：

$ kubectl apply -f cluster-scope-permissions.yml
clusterrole.rbac.authorization.k8s.io/cluster-scope-role created
clusterrolebinding.rbac.authorization.k8s.io/cluster-scope-rolebinding created


$ kubectl get nodes --as=system:serviceaccount:dxf-uat:dxf-deployer
NAME                                       STATUS   ROLES    AGE     VERSION
node1                                      Ready    <none>   5h11m   v1.18.12-gke.1210
node2                                      Ready    <none>   5h11m   v1.18.12-gke.1210

$ kubectl get persistentvolumes -n dxf-uat --as=system:serviceaccount:dxf-uat:dxf-deployer
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                STORAGECLASS   REASON   AGE
pvc-0ba2fd12-c883-45b8-b52d-a6c826a2775a   8Gi        RWO            Delete           Bound    default/my-jenkins   standard                131m
pvc-b4b7a4c8-c9ad-4e83-b1ee-663b3e4d938b   10Gi       RWO            Delete           Bound    default/debug-pvc    standard                5h12m