在 GCP 上将 Traefik 设置为 Kubernetes Ingress
Setting up Traefik as Kubernetes Ingress on GCP
我正在尝试遵循此 Traefik 用户指南:https://docs.traefik.io/user-guide/kubernetes/
用户指南和我的设置之间的主要区别在于指南假定我在 Minikube 上,而我试图在 Google 云平台 (GCP) 上进行此设置。我是 Kubernetes 新手,但我认为我对基础知识的掌握还不错。
无论如何,关于上面用户指南中介绍的基于角色的访问控制配置,我一直收到此错误:
Error from server (Forbidden): error when creating "rbac.yml": cl
usterroles.rbac.authorization.k8s.io "traefik-ingress-controller" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resour
ces:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Res
ources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{
Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]}
PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]}] user=&{evan@sherwood.io [system:authenti
cated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["selfsubjectrulesreviews"],
APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/" "/apis" "/apis/" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/
version"], Verbs:["get"]}] ruleResolutionErrors=[]
我觉得我 运行 进入了 Privilege Escalation Prevention and Bootstrapping,但我不确定我需要 change/do 什么才能克服这个问题。
如您引用的文档所述,您需要升级用户的权限,至少升级到允许 RBAC 规则更改所必需的程度。
实现此目的的最简单方法是添加分配 cluster-admin 权限的 ClusterRoleBinding。 YAML 看起来像这样:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: megacorp-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: john.doe@megacorp.com
YAML 假设您在 GKE 注册的用户电子邮件地址是 john.doe@megacorp.com。在 kubectl applying 该清单后,您应该相应地申请扩展 Traefik 的 RBAC 规则。
注意cluster-admin基本上是集群的root用户。如果您打算进一步限制权限,也可以选择更多权限。
我正在尝试遵循此 Traefik 用户指南:https://docs.traefik.io/user-guide/kubernetes/
用户指南和我的设置之间的主要区别在于指南假定我在 Minikube 上,而我试图在 Google 云平台 (GCP) 上进行此设置。我是 Kubernetes 新手,但我认为我对基础知识的掌握还不错。
无论如何,关于上面用户指南中介绍的基于角色的访问控制配置,我一直收到此错误:
Error from server (Forbidden): error when creating "rbac.yml": cl usterroles.rbac.authorization.k8s.io "traefik-ingress-controller" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resour ces:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Res ources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{ Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]}] user=&{evan@sherwood.io [system:authenti cated] map[authenticator:[GKE]]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/" "/apis" "/apis/" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/ version"], Verbs:["get"]}] ruleResolutionErrors=[]
我觉得我 运行 进入了 Privilege Escalation Prevention and Bootstrapping,但我不确定我需要 change/do 什么才能克服这个问题。
如您引用的文档所述,您需要升级用户的权限,至少升级到允许 RBAC 规则更改所必需的程度。
实现此目的的最简单方法是添加分配 cluster-admin 权限的 ClusterRoleBinding。 YAML 看起来像这样:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: megacorp-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: john.doe@megacorp.com
YAML 假设您在 GKE 注册的用户电子邮件地址是 john.doe@megacorp.com。在 kubectl applying 该清单后,您应该相应地申请扩展 Traefik 的 RBAC 规则。
注意cluster-admin基本上是集群的root用户。如果您打算进一步限制权限,也可以选择更多权限。