无法授予服务帐户应用现有角色的权限 "Error from server (Forbidden) ... attempt to grant extra privileges"
Can't give service account permissions to apply an existing role "Error from server (Forbidden) ... attempt to grant extra privileges"
我正在尝试将 运行 kubectl apply -f somerole.yaml 的服务帐户权限授予 现有角色 。
我创建了一个具有以下权限的服务帐户:
cat > ~/tmp/Role.yaml <<EOF
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: my-role6
rules:
- apiGroups: ["*"]
resources: ["roles"]
verbs: ["replace", "patch", "get", "list", "create"]
EOF
kubectl create -f ~/tmp/Role.yaml
所有后台权限(RoleBinding、上下文)似乎都不错,因为如果我在资源字段中添加 pods 我可以使用:
kubectl get pods --context=myservice6-context
当我 运行:
kubectl apply -f malrole.yaml --context=$CONTEXT_NAME
我收到了:
Error from server (Forbidden): error when creating "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]}] ruleResolutionErrors=[]
更具可读性的版本:
Error from server (Forbidden):
error when creating "malrole.yaml":
roles.rbac.authorization.k8s.io "testrole" is forbidden:
attempt to grant extra privileges:
[
PolicyRule{
Resources:["pods"], APIGroups:["*"], Verbs:["get"]
}
]
user=&{
system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928
[system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]
}
ownerrules=[
PolicyRule{
Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"],
Verbs:["create"]
}
PolicyRule{
NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"],
Verbs:["get"]
}
PolicyRule{
Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]
}
]
ruleResolutionErrors=[]
malrole.yaml(我尝试申请的文件):
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: testrole
rules:
- apiGroups: ["*"]
resources: ["pods"]
verbs: ["get"]
它写道:
An attemp to grant extra privileges...
不知道为什么。
根据文档:
ConfirmNoEscalation determines if the roles for a given user in a
given namespace encompass the provided role.
但我也尝试给自己更多的权限(见编辑),但我仍然收到此错误。
编辑:
即使我将权限更改为
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: my-role6
rules:
- apiGroups: ["*"]
resources: ["roles"]
verbs: ["*"]
我收到了:
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"rbac.authorization.k8s.io/v1beta1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"testrole\",\"namespace\":\"default\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"pods\"],\"verbs\":[\"list\",\"get\"]}]}\n"}},"rules":[{"apiGroups":["*"],"resources":["pods"],"verbs":["list","get"]}]}
to:
&{0xc420b26840 0xc4202b18f0 default testrole malrole.yaml 0xc4211a8988 0xc42000c008 1638 false}
for: "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["*"]}] ruleResolutionErrors=[]
@liggitt 告诉我
Escalation prevention rejects attempts to create roles containing
permissions you do not already possess
我发现为了能够应用角色,我需要拥有以下权限:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: $ROLE_NAME
rules:
- apiGroups: ["*"]
resources: ["roles", "pods"]
verbs: ["patch", "get", "list"]
我不确定为什么 pods 在我只是应用角色时应该成为资源的一部分。但也许应用程序为此使用了一些系统 pod。
如上文所述link:
To allow a user to create/update roles:
- Grant them a role that allows them to create/update Role or
ClusterRole objects, as desired.
- Grant them roles containing the
permissions you would want them to be able to set in a Role or
ClusterRole. If they attempt to create or modify a Role or ClusterRole
with permissions they themselves have not been granted, the API
request will be forbidden.
我正在尝试将 运行 kubectl apply -f somerole.yaml 的服务帐户权限授予 现有角色 。
我创建了一个具有以下权限的服务帐户:
cat > ~/tmp/Role.yaml <<EOF
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: my-role6
rules:
- apiGroups: ["*"]
resources: ["roles"]
verbs: ["replace", "patch", "get", "list", "create"]
EOF
kubectl create -f ~/tmp/Role.yaml
所有后台权限(RoleBinding、上下文)似乎都不错,因为如果我在资源字段中添加 pods 我可以使用:
kubectl get pods --context=myservice6-context
当我 运行:
kubectl apply -f malrole.yaml --context=$CONTEXT_NAME
我收到了:
Error from server (Forbidden): error when creating "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]}] ruleResolutionErrors=[]
更具可读性的版本:
Error from server (Forbidden):
error when creating "malrole.yaml":
roles.rbac.authorization.k8s.io "testrole" is forbidden:
attempt to grant extra privileges:
[
PolicyRule{
Resources:["pods"], APIGroups:["*"], Verbs:["get"]
}
]
user=&{
system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928
[system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]
}
ownerrules=[
PolicyRule{
Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"],
Verbs:["create"]
}
PolicyRule{
NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"],
Verbs:["get"]
}
PolicyRule{
Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]
}
]
ruleResolutionErrors=[]
malrole.yaml(我尝试申请的文件):
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: testrole
rules:
- apiGroups: ["*"]
resources: ["pods"]
verbs: ["get"]
它写道:
An attemp to grant extra privileges...
不知道为什么。
根据文档:
ConfirmNoEscalation determines if the roles for a given user in a given namespace encompass the provided role.
但我也尝试给自己更多的权限(见编辑),但我仍然收到此错误。
编辑:
即使我将权限更改为
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: my-role6
rules:
- apiGroups: ["*"]
resources: ["roles"]
verbs: ["*"]
我收到了:
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"rbac.authorization.k8s.io/v1beta1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"testrole\",\"namespace\":\"default\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"pods\"],\"verbs\":[\"list\",\"get\"]}]}\n"}},"rules":[{"apiGroups":["*"],"resources":["pods"],"verbs":["list","get"]}]}
to:
&{0xc420b26840 0xc4202b18f0 default testrole malrole.yaml 0xc4211a8988 0xc42000c008 1638 false}
for: "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["*"]}] ruleResolutionErrors=[]
@liggitt 告诉我
Escalation prevention rejects attempts to create roles containing permissions you do not already possess
我发现为了能够应用角色,我需要拥有以下权限:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: $ROLE_NAME
rules:
- apiGroups: ["*"]
resources: ["roles", "pods"]
verbs: ["patch", "get", "list"]
我不确定为什么 pods 在我只是应用角色时应该成为资源的一部分。但也许应用程序为此使用了一些系统 pod。
如上文所述link:
To allow a user to create/update roles:
- Grant them a role that allows them to create/update Role or ClusterRole objects, as desired.
- Grant them roles containing the permissions you would want them to be able to set in a Role or ClusterRole. If they attempt to create or modify a Role or ClusterRole with permissions they themselves have not been granted, the API request will be forbidden.