我想观看k8s事件以进行监视,现在我已经完成了以下步骤:
1. create a serviceaccount
2. create a role,allow list/get/watch events
3. create rolebinding
但是该过程除了错误和禁止之外,有什么不对吗?
---
apiVersion: v1
kind: Serviceaccount
metadata:
name: kube-events
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kube-events
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: kube-events
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kube-events
subjects:
- kind: Serviceaccount
name: kube-events
kubernetes.client.rest.ApiException: (403) Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json','X-Content-Type-Options': 'nosniff','Date': 'Mon,11 Nov 2019 09:26:34 GMT','Content-Length': '287'}) HTTP response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"events is forbidden: User \\"system:serviceaccount:kkmh-ruly:kube-events\\" cannot watch resource \\"events\\" in API group \\"\\" at the cluster scope","reason":"Forbidden","details":{"kind":"events"},"code":403}\n'