Spring Cloud Kubernetes:什么是 cluster-reader 权限?
Spring Cloud Kubernetes: What are cluster-reader permissions?
根据 Spring Cloud Kubernetes 文档,为了在启用 RBAC 的 Kubernetes 发行版中发现 services/pods:
you need to make sure a pod that runs with spring-cloud-kubernetes has access to the Kubernetes API. For any service accounts you assign to a deployment/pod, you need to make sure it has the correct roles. For example, you can add cluster-reader permissions to your default service account depending on the project you’re in.
要发现 services/pods 需要什么 cluster-reader 权限?
我收到的错误是:
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://x.x.x.x/api/v1/namespaces/jx-staging/services.
Message: Forbidden!Configured service account doesn't have access.
Service account may have been revoked. services is forbidden:
User "system:serviceaccount:jx-staging:default" cannot list services in the namespace "jx-staging"
Kubernetes 一般将角色分为两类:
- 角色:这特定于他们被授予的命名空间
- ClusterRole:适用于整个集群,也就是说它适用于所有命名空间
那么 Spring Cloud Kubernetes 文档的意思是,为了能够在所有命名空间中正确读取发现 services/pods,将与应用程序关联的 ServiceAccount 应该有一个ClusterRole 允许它读取 Pods、Services 等
This 部分 Kubernetes 文档(其中还包含很好的示例)是全面了解 Kubernetes RBAC 的必读内容。
阅读 endpoints 和 services 似乎是 Spring Cloud Kubernetes 发现 pods 和服务的最低限度。
示例将权限添加到 default 命名空间中的 default 服务帐户。
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-role
rules:
- apiGroups:
- ""
resources:
- endpoints
- pods
- services
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-read-rolebinding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: cluster-read-role
apiGroup: rbac.authorization.k8s.io
根据 Spring Cloud Kubernetes 文档,为了在启用 RBAC 的 Kubernetes 发行版中发现 services/pods:
you need to make sure a pod that runs with spring-cloud-kubernetes has access to the Kubernetes API. For any service accounts you assign to a deployment/pod, you need to make sure it has the correct roles. For example, you can add
cluster-readerpermissions to your default service account depending on the project you’re in.
要发现 services/pods 需要什么 cluster-reader 权限?
我收到的错误是:
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://x.x.x.x/api/v1/namespaces/jx-staging/services.
Message: Forbidden!Configured service account doesn't have access.
Service account may have been revoked. services is forbidden:
User "system:serviceaccount:jx-staging:default" cannot list services in the namespace "jx-staging"
Kubernetes 一般将角色分为两类:
- 角色:这特定于他们被授予的命名空间
- ClusterRole:适用于整个集群,也就是说它适用于所有命名空间
那么 Spring Cloud Kubernetes 文档的意思是,为了能够在所有命名空间中正确读取发现 services/pods,将与应用程序关联的 ServiceAccount 应该有一个ClusterRole 允许它读取 Pods、Services 等
This 部分 Kubernetes 文档(其中还包含很好的示例)是全面了解 Kubernetes RBAC 的必读内容。
阅读 endpoints 和 services 似乎是 Spring Cloud Kubernetes 发现 pods 和服务的最低限度。
示例将权限添加到 default 命名空间中的 default 服务帐户。
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-role
rules:
- apiGroups:
- ""
resources:
- endpoints
- pods
- services
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-read-rolebinding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: cluster-read-role
apiGroup: rbac.authorization.k8s.io