我设置了一个服务帐户和一个群集角色绑定,以使view
可以访问所有名称空间的pod:
apiVersion: v1
kind: Serviceaccount
metadata:
name: mine-user
namespace: mine
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mine-rolebinding
subjects:
- kind: User
name: mine-user
namespace: mine
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
我尝试使用 curl 列出deployments
:
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/apis/apps/v1/namespaces/mine/deployments
但是我得到一个错误:
"deployments.apps is forbidden: User \"system:serviceaccount:mine:mine-user\" cannot list resource \"deployments\" in API group \"apps\" in the namespace \"mine\""
尽管存在角色绑定:
kubectl -n mine describe clusterrolebinding/mine-rolebinding
Name: mine-rolebinding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: view
Subjects:
Kind Name Namespace
---- ---- ---------
User mine-user mine
在使用自定义群集角色时,我也会遇到相同的错误:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mine-role
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get","list","watch"]
$ kubectl -n mine describe clusterrolebinding/mine-rolebinding2
Name: mine-rolebinding2
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: mine-role
Subjects:
Kind Name Namespace
---- ---- ---------
User mine-user mine
$ kubectl -n mine describe clusterrole/mine-role
Name: mine-role
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
deployments.apps [] [] [get list watch]