无法使用 RBAC 列出部署资源
Unable to list deployments resources using RBAC
我在 Kubernetes 中为用户使用 x509 身份验证,效果很好。
然而,虽然提供对部署的访问似乎并没有正常工作,如下所示:
角色:
# kubectl get rolebindings devops-rb -n demo -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: 2018-03-26T13:43:49Z
name: devops-rb
namespace: demo
resourceVersion: "2530329"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/demo/rolebindings/devops-rb
uid: b6c17e28-30fb-11e8-b530-000d3a11bb2f
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: devops-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: devops
角色绑定:
# kubectl get roles devops-role -n demo -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: 2018-03-26T13:43:49Z
name: devops-role
namespace: demo
resourceVersion: "2538402"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/demo/roles/devops-role
uid: b6bee0fb-30fb-11e8-b530-000d3a11bb2f
rules:
- apiGroups:
- ""
resources:
- pods
- secrets
- services
- replicasets
- persistentvolumeclaims
- deployments
verbs:
- get
- list
- watch
正在尝试使用用户配置列出部署:
# kubectl --kubeconfig /root/.kube/config-tesla get deploy -n demo
Error from server (Forbidden): deployments.extensions is forbidden: User "tesla" cannot list deployments.extensions in the namespace "demo"
正在尝试使用管理员配置列出部署:
# kubectl get deploy -n demo
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
wordpress 1 1 1 1 13d
wordpress-mysql 1 1 1 1 13d
正在尝试列出 pods 使用用户配置:
# kubectl --kubeconfig /root/.kube/config-tesla get po -n demo
NAME READY STATUS RESTARTS AGE
ncp-centos-pod 1/1 Running 0 12d
wordpress-77d578745-vdgr9 1/1 Running 0 13d
wordpress-mysql-58cf8dc9f9-pzvbs 1/1 Running 0 13d
正在尝试使用管理员配置列出 pods:
# kubectl get pods -n demo
NAME READY STATUS RESTARTS AGE
ncp-centos-pod 1/1 Running 0 12d
wordpress-77d578745-vdgr9 1/1 Running 0 13d
wordpress-mysql-58cf8dc9f9-pzvbs 1/1 Running 0 13d
副本集和部署存在于 "extensions" 和 "apps" API 组中,而不存在于旧版“”组中
尝试:
rules:
- apiGroups:
- ""
resources:
- pods
- secrets
- services
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
resources:
- deployments
- replicasets
verbs:
- get
- list
- watch
如果我没理解错的话..
检查:
kubectl describe clusterrole |grep devops-role
kubectl describe clusterrole |grep devops-rb
kubectl describe clusterrole | less
我在 Kubernetes 中为用户使用 x509 身份验证,效果很好。 然而,虽然提供对部署的访问似乎并没有正常工作,如下所示:
角色:
# kubectl get rolebindings devops-rb -n demo -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: 2018-03-26T13:43:49Z
name: devops-rb
namespace: demo
resourceVersion: "2530329"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/demo/rolebindings/devops-rb
uid: b6c17e28-30fb-11e8-b530-000d3a11bb2f
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: devops-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: devops
角色绑定:
# kubectl get roles devops-role -n demo -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: 2018-03-26T13:43:49Z
name: devops-role
namespace: demo
resourceVersion: "2538402"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/demo/roles/devops-role
uid: b6bee0fb-30fb-11e8-b530-000d3a11bb2f
rules:
- apiGroups:
- ""
resources:
- pods
- secrets
- services
- replicasets
- persistentvolumeclaims
- deployments
verbs:
- get
- list
- watch
正在尝试使用用户配置列出部署:
# kubectl --kubeconfig /root/.kube/config-tesla get deploy -n demo
Error from server (Forbidden): deployments.extensions is forbidden: User "tesla" cannot list deployments.extensions in the namespace "demo"
正在尝试使用管理员配置列出部署:
# kubectl get deploy -n demo
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
wordpress 1 1 1 1 13d
wordpress-mysql 1 1 1 1 13d
正在尝试列出 pods 使用用户配置:
# kubectl --kubeconfig /root/.kube/config-tesla get po -n demo
NAME READY STATUS RESTARTS AGE
ncp-centos-pod 1/1 Running 0 12d
wordpress-77d578745-vdgr9 1/1 Running 0 13d
wordpress-mysql-58cf8dc9f9-pzvbs 1/1 Running 0 13d
正在尝试使用管理员配置列出 pods:
# kubectl get pods -n demo
NAME READY STATUS RESTARTS AGE
ncp-centos-pod 1/1 Running 0 12d
wordpress-77d578745-vdgr9 1/1 Running 0 13d
wordpress-mysql-58cf8dc9f9-pzvbs 1/1 Running 0 13d
副本集和部署存在于 "extensions" 和 "apps" API 组中,而不存在于旧版“”组中
尝试:
rules:
- apiGroups:
- ""
resources:
- pods
- secrets
- services
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- apps
resources:
- deployments
- replicasets
verbs:
- get
- list
- watch
如果我没理解错的话..
检查:
kubectl describe clusterrole |grep devops-role
kubectl describe clusterrole |grep devops-rb
kubectl describe clusterrole | less