服务帐户无法删除资源,即使它应该有权这样做
Service account fails to delete resources, even though it should have rights to do so
我有一个服务帐户 monitoring:prometheus-operator-operator,其集群角色绑定到此集群角色:
Name: prometheus-operator-operator
Labels: app=prometheus-operator-operator
chart=prometheus-operator-5.7.0
heritage=Tiller
release=prometheus-operator
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [*]
secrets [] [] [*]
customresourcedefinitions.apiextensions.k8s.io [] [] [*]
statefulsets.apps [] [] [*]
alertmanagers.monitoring.coreos.com/finalizers [] [] [*]
alertmanagers.monitoring.coreos.com [] [] [*]
prometheuses.monitoring.coreos.com/finalizers [] [] [*]
prometheuses.monitoring.coreos.com [] [] [*]
prometheusrules.monitoring.coreos.com [] [] [*]
servicemonitors.monitoring.coreos.com [] [] [*]
endpoints [] [] [get create update]
services [] [] [get create update]
namespaces [] [] [get list watch]
pods [] [] [list delete]
nodes [] [] [list watch]
现在,我正在尝试 运行 这个
curl -ik -X DELETE \
-H "Authorization: Bearer <SERVICE_ACCOUNT_TOKEN>" \
https://kubernetes.default.svc/apis/monitoring.coreos.com/v1/monitoring/prometheusrules/zalenium
从within集群中的一个pod删除一个PrometheusRule.
但是我的请求没有成功,并被 403 拒绝:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "monitoring.monitoring.coreos.com \"prometheusrules\" is forbidden: User \"system:serviceaccount:monitoring:prometheus-operator-operator\" cannot delete resource \"monitoring/zalenium\" in API group \"monitoring.coreos.com\" at the cluster scope",
"reason": "Forbidden",
"details": {
"name": "prometheusrules",
"group": "monitoring.coreos.com",
"kind": "monitoring"
},
"code": 403
}
我是否错误地认为我的 monitoring 命名空间中的服务帐户应该能够在集群级别删除 PrometheusRule?
对我来说,一切看起来都是正确的,但我不明白为什么我会收到 Forbidden 回复。
您忘记将名称空间放入 URI
curl -ik -X DELETE \
-H "Authorization: Bearer <SERVICE_ACCOUNT_TOKEN>" \
https://kubernetes.default.svc/apis/monitoring.coreos.com/v1/namespaces/monitoring/prometheusrules/zalenium
使用以下命令,您可以验证是否允许您使用资源 Y
执行操作 X
kubectl auth can-i delete prometheusrules --as system:serviceaccount:monitoring:prometheus-operator-operator -n monitoring
使用 -v 标志 您可以增加请求的详细程度,它还提供 curl 形式的请求。
我有一个服务帐户 monitoring:prometheus-operator-operator,其集群角色绑定到此集群角色:
Name: prometheus-operator-operator
Labels: app=prometheus-operator-operator
chart=prometheus-operator-5.7.0
heritage=Tiller
release=prometheus-operator
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [*]
secrets [] [] [*]
customresourcedefinitions.apiextensions.k8s.io [] [] [*]
statefulsets.apps [] [] [*]
alertmanagers.monitoring.coreos.com/finalizers [] [] [*]
alertmanagers.monitoring.coreos.com [] [] [*]
prometheuses.monitoring.coreos.com/finalizers [] [] [*]
prometheuses.monitoring.coreos.com [] [] [*]
prometheusrules.monitoring.coreos.com [] [] [*]
servicemonitors.monitoring.coreos.com [] [] [*]
endpoints [] [] [get create update]
services [] [] [get create update]
namespaces [] [] [get list watch]
pods [] [] [list delete]
nodes [] [] [list watch]
现在,我正在尝试 运行 这个
curl -ik -X DELETE \
-H "Authorization: Bearer <SERVICE_ACCOUNT_TOKEN>" \
https://kubernetes.default.svc/apis/monitoring.coreos.com/v1/monitoring/prometheusrules/zalenium
从within集群中的一个pod删除一个PrometheusRule.
但是我的请求没有成功,并被 403 拒绝:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "monitoring.monitoring.coreos.com \"prometheusrules\" is forbidden: User \"system:serviceaccount:monitoring:prometheus-operator-operator\" cannot delete resource \"monitoring/zalenium\" in API group \"monitoring.coreos.com\" at the cluster scope",
"reason": "Forbidden",
"details": {
"name": "prometheusrules",
"group": "monitoring.coreos.com",
"kind": "monitoring"
},
"code": 403
}
我是否错误地认为我的 monitoring 命名空间中的服务帐户应该能够在集群级别删除 PrometheusRule?
对我来说,一切看起来都是正确的,但我不明白为什么我会收到 Forbidden 回复。
您忘记将名称空间放入 URI
curl -ik -X DELETE \
-H "Authorization: Bearer <SERVICE_ACCOUNT_TOKEN>" \
https://kubernetes.default.svc/apis/monitoring.coreos.com/v1/namespaces/monitoring/prometheusrules/zalenium
使用以下命令,您可以验证是否允许您使用资源 Y
执行操作 Xkubectl auth can-i delete prometheusrules --as system:serviceaccount:monitoring:prometheus-operator-operator -n monitoring
使用 -v 标志 您可以增加请求的详细程度,它还提供 curl 形式的请求。