kubernetes pods 被禁止:用户 "user1" 无法在命名空间 "stage" 中列出 pods

kubernetes pods is forbidden: User "user1" cannot list pods in the namespace "stage"

在阿里巴巴容器服务中测试基于角色的访问时,它向我抛出错误 "pods is forbidden: User "user1" cannot list pods in the namespace "stage"" 这是 RBAC 问题,我无法弄清楚我在哪里弄错了

角色绑定定义

root@kube-master:# kubectl describe rolebinding stage-role-binding  -n stage
Name:         stage-role-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  staging
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  user2  

角色定义

root@kube-master:# kubectl describe role -n stage
Name:         staging
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources               Non-Resource URLs  Resource Names  Verbs
  ---------               -----------------  --------------  -----
  deployments             []                 []              [get list watch create update patch delete]
  pods                    []                 []              [get list watch create update patch delete]
  replicasets             []                 []              [get list watch create update patch delete]
  deployments.apps        []                 []              [get list watch create update patch delete]
  pods.apps               []                 []              [get list watch create update patch delete]
  replicasets.apps        []                 []              [get list watch create update patch delete]
  deployments.extensions  []                 []              [get list watch create update patch delete]
  pods.extensions         []                 []              [get list watch create update patch delete]
  replicasets.extensions  []                 []              [get list watch create update patch delete]

一个 pod 运行 在 stage namespace

root@kube-master:# kubectl get pods -n stage 
NAME      READY     STATUS    RESTARTS   AGE
busybox   1/1       Running   0          10m

定义上下文

root@kube-master:# kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
Context "stage" modified.

测试 RBAC

root@kube-master:/home/ansible# kubectl --context=stage get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "user1" cannot list pods in the namespace "stage"

不确定来自哪里 user1

is coming and throwing the RBAC Error

只为 user2

设置了 context
root@kube-master:# kubectl config get-contexts
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   
          stage                         kubernetes   user2              stage

这就是我创建用户的方式

openssl genrsa -out user2.key 2048
openssl req -new -key user2.key -out user2.csr -subj "/CN=user1/O=8gwifi.org"
openssl x509 -req -in user2.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user2.crt -days 500

kubectl config set-credentials user2 --client-certificate=user2.crt --client-key=user2.key
kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2

RoleBinding 适用于用户 user2,不适用于 user1。这就是您收到 RBAC 错误的原因。

为用户 user2 设置上下文并不意味着 kubernetes 会将此用户识别为 user2。这取决于您使用的凭证。如果使用的凭证是用户 user-x,那么 kubernetes 会将其视为 user-xcontext user 用于 kubectl 查找用户凭证信息。要了解 kubernetes 身份验证,请参阅 here

您在此处使用的凭据已解析为用户 user1。因此,您应该将 RoleBinding 更新为 user1.

问题更新后

对于证书认证,CN 将是用户名(参考:here)。 在您的证书 "/CN=user1/O=8gwifi.org" 中,用户名将是 user1 而不是 user2.