Kubernetes returns 即使设置了 RBAC 权限也被禁止
Kubernetes returns Forbidden even if RBAC permissions are set
我正在尝试为 serviceAccount 创建一组适当的权限。
出于某种原因,它似乎忽略了我授予的权限并因此给了我一堆错误。我不明白我做错了什么。我是否在错误的名称空间或类似名称中应用了某些东西?
我的角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: r-wercker-ingress-new
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["extensions"]
resources: ["deployments"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
我的角色绑定:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: r-wercker-ingress-new
subjects:
- kind: ServiceAccount
name: wercker
namespace: kube-ingress
roleRef:
kind: Role
name: r-wercker-ingress-new
apiGroup: rbac.authorization.k8s.io
关于角色的 kubectl 输出
kubectl describe role r-wercker-ingress-new
Name: r-wercker-ingress-new
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"default"},"rules":[...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [create delete patch update get watch list]
deployments.extensions [] [] [create delete patch update get watch list]
horizontalpodautoscalers.autoscaling [] [] [create delete patch update get watch list]
namespaces [] [] [create delete patch update get watch list]
serviceaccounts [] [] [create delete patch update get watch list]
services [] [] [create delete patch update get watch list]
关于 RoleBinding 的 kubectl 输出
kubectl describe rolebinding r-wercker-ingress-new
Name: r-wercker-ingress-new
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"default"},"r...
Role:
Kind: Role
Name: r-wercker-ingress-new
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount wercker kube-ingress
尝试应用我的资源时出现错误输出:
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d380 0xc4205982a0 kube-ingress resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4370 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": namespaces "kube-ingress" is forbidden: User "system:serviceaccount:default:wercker" cannot get namespaces in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d440 0xc420599340 kube-ingress nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc420df43f8 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": serviceaccounts "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get serviceaccounts in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d680 0xc4201e55e0 nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4500 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": clusterroles.rbac.authorization.k8s.io "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get clusterroles.rbac.authorization.k8s.io at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d740 0xc4204c4770 nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4578 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": clusterrolebindings.rbac.authorization.k8s.io "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get clusterrolebindings.rbac.authorization.k8s.io at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d800 0xc4204c5e30 kube-ingress ingress-nginx resources/kube-ingress/ingress-controller-nginx.yml 0xc420df45f0 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": services "ingress-nginx" is forbidden: User "system:serviceaccount:default:wercker" cannot get services in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d8c0 0xc420134a10 kube-ingress ingress-nginx resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4660 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": configmaps "ingress-nginx" is forbidden: User "system:serviceaccount:default:wercker" cannot get configmaps in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d980 0xc420145ab0 kube-ingress ingress-nginx resources/kube-ingress/ingress-controller-nginx.yml 0xc420df46f0 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": deployments.extensions "ingress-nginx" is forbidden: User "system:serviceaccount:default:wercker" cannot get deployments.extensions in the namespace "kube-ingress"
编辑 1: 我尝试将资源移动到相应的命名空间中,但仍然出现相同的错误。
kubectl --namespace kube-ingress get role
NAME AGE
r-wercker-ingress-new 2m
kubectl --namespace kube-ingress describe role r-wercker-ingress-new
Name: r-wercker-ingress-new
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"kube-ingress"},"rul...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [create delete patch update get watch list]
deployments.extensions [] [] [create delete patch update get watch list]
horizontalpodautoscalers.autoscaling [] [] [create delete patch update get watch list]
namespaces [] [] [create delete patch update get watch list]
serviceaccounts [] [] [create delete patch update get watch list]
services [] [] [create delete patch update get watch list]
kubectl --namespace kube-ingress get rolebinding
NAME AGE
r-wercker-ingress-new 2m
kubectl --namespace kube-ingress describe rolebinding r-wercker-ingress-new
Name: r-wercker-ingress-new
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"kube-ingress...
Role:
Kind: Role
Name: r-wercker-ingress-new
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount wercker kube-ingress
仍然给出:
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc420d14840 0xc420382620 kube-ingress nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc42160e560 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": serviceaccounts "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get serviceaccounts in the namespace "kube-ingress"
我已经删除并重新创建了角色和角色绑定
是的,您似乎将资源应用到了错误的命名空间中。如果要为命名空间 kube-ingress 设置这些权限,则需要在此命名空间中创建资源。
因此,您可以将此行添加到 Role、RoleBinding 和 ServiceAccount 的元数据中:
namespace: kube-ingress
使用 Role 和 RoleBinding,您可以为单个命名空间定义权限。如果你想创建集群范围的权限,你可以使用 ClusterRole 和 ClusterRoleBinding。
您还可以创建一个通用案例 ClusterRole,然后使用 RoleBinding 将其绑定到单个命名空间。 k8s 文档在这方面非常有帮助:https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
如 Kubernetes slack 频道中所述,您必须指定命名空间。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: r-wercker-ingress-new
namespace: kube-ingress
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["extensions"]
resources: ["deployments"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
我正在尝试为 serviceAccount 创建一组适当的权限。 出于某种原因,它似乎忽略了我授予的权限并因此给了我一堆错误。我不明白我做错了什么。我是否在错误的名称空间或类似名称中应用了某些东西?
我的角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: r-wercker-ingress-new
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["extensions"]
resources: ["deployments"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
我的角色绑定:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: r-wercker-ingress-new
subjects:
- kind: ServiceAccount
name: wercker
namespace: kube-ingress
roleRef:
kind: Role
name: r-wercker-ingress-new
apiGroup: rbac.authorization.k8s.io
关于角色的 kubectl 输出
kubectl describe role r-wercker-ingress-new
Name: r-wercker-ingress-new
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"default"},"rules":[...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [create delete patch update get watch list]
deployments.extensions [] [] [create delete patch update get watch list]
horizontalpodautoscalers.autoscaling [] [] [create delete patch update get watch list]
namespaces [] [] [create delete patch update get watch list]
serviceaccounts [] [] [create delete patch update get watch list]
services [] [] [create delete patch update get watch list]
关于 RoleBinding 的 kubectl 输出
kubectl describe rolebinding r-wercker-ingress-new
Name: r-wercker-ingress-new
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"default"},"r...
Role:
Kind: Role
Name: r-wercker-ingress-new
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount wercker kube-ingress
尝试应用我的资源时出现错误输出:
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d380 0xc4205982a0 kube-ingress resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4370 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": namespaces "kube-ingress" is forbidden: User "system:serviceaccount:default:wercker" cannot get namespaces in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d440 0xc420599340 kube-ingress nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc420df43f8 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": serviceaccounts "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get serviceaccounts in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d680 0xc4201e55e0 nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4500 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": clusterroles.rbac.authorization.k8s.io "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get clusterroles.rbac.authorization.k8s.io at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d740 0xc4204c4770 nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4578 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": clusterrolebindings.rbac.authorization.k8s.io "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get clusterrolebindings.rbac.authorization.k8s.io at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d800 0xc4204c5e30 kube-ingress ingress-nginx resources/kube-ingress/ingress-controller-nginx.yml 0xc420df45f0 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": services "ingress-nginx" is forbidden: User "system:serviceaccount:default:wercker" cannot get services in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d8c0 0xc420134a10 kube-ingress ingress-nginx resources/kube-ingress/ingress-controller-nginx.yml 0xc420df4660 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": configmaps "ingress-nginx" is forbidden: User "system:serviceaccount:default:wercker" cannot get configmaps in the namespace "kube-ingress"
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc42062d980 0xc420145ab0 kube-ingress ingress-nginx resources/kube-ingress/ingress-controller-nginx.yml 0xc420df46f0 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": deployments.extensions "ingress-nginx" is forbidden: User "system:serviceaccount:default:wercker" cannot get deployments.extensions in the namespace "kube-ingress"
编辑 1: 我尝试将资源移动到相应的命名空间中,但仍然出现相同的错误。
kubectl --namespace kube-ingress get role
NAME AGE
r-wercker-ingress-new 2m
kubectl --namespace kube-ingress describe role r-wercker-ingress-new
Name: r-wercker-ingress-new
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"kube-ingress"},"rul...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [create delete patch update get watch list]
deployments.extensions [] [] [create delete patch update get watch list]
horizontalpodautoscalers.autoscaling [] [] [create delete patch update get watch list]
namespaces [] [] [create delete patch update get watch list]
serviceaccounts [] [] [create delete patch update get watch list]
services [] [] [create delete patch update get watch list]
kubectl --namespace kube-ingress get rolebinding
NAME AGE
r-wercker-ingress-new 2m
kubectl --namespace kube-ingress describe rolebinding r-wercker-ingress-new
Name: r-wercker-ingress-new
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"r-wercker-ingress-new","namespace":"kube-ingress...
Role:
Kind: Role
Name: r-wercker-ingress-new
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount wercker kube-ingress
仍然给出:
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc420d14840 0xc420382620 kube-ingress nginx-ingress-controller resources/kube-ingress/ingress-controller-nginx.yml 0xc42160e560 false}
from server for: "resources/kube-ingress/ingress-controller-nginx.yml": serviceaccounts "nginx-ingress-controller" is forbidden: User "system:serviceaccount:default:wercker" cannot get serviceaccounts in the namespace "kube-ingress"
我已经删除并重新创建了角色和角色绑定
是的,您似乎将资源应用到了错误的命名空间中。如果要为命名空间 kube-ingress 设置这些权限,则需要在此命名空间中创建资源。
因此,您可以将此行添加到 Role、RoleBinding 和 ServiceAccount 的元数据中:
namespace: kube-ingress
使用 Role 和 RoleBinding,您可以为单个命名空间定义权限。如果你想创建集群范围的权限,你可以使用 ClusterRole 和 ClusterRoleBinding。
您还可以创建一个通用案例 ClusterRole,然后使用 RoleBinding 将其绑定到单个命名空间。 k8s 文档在这方面非常有帮助:https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
如 Kubernetes slack 频道中所述,您必须指定命名空间。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: r-wercker-ingress-new
namespace: kube-ingress
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["extensions"]
resources: ["deployments"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]