登录时从 kubenetes 服务器获取错误 - ClusterRoleBinding
Getting error from kubenetes server while logging in - ClusterRoleBinding
我正在使用 Keycloak 作为我的 kubernetes 身份提供者。我正在使用 kubelogin 获取令牌。该令牌似乎有效,但我收到以下错误。我认为 ClusterRoleBinding 中存在一些问题,不允许它工作。
- 什么错误
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
附加信息
- Api 清单
- --oidc-issuer-url=https://test1.example.com/auth/realms/kubernetes
- --oidc-username-claim=preferred_username
- --oidc-username-prefix=-
- --oidc-groups-claim=groups
- --oidc-client-id=kubernetes
- --oidc-ca-file=/etc/ssl/certs/ca.crt
- 集群角色和集群角色绑定
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-rolebinding
subjects:
- kind: User
name: //test1.example.com.com/auth/realms/kubernetes#23fd6g03-e03e-450e-8b5d-07b19007c443
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
我是否缺少任何东西才能让它工作?
经过大量挖掘后,我找到了问题所在。我们不必为用户添加 keycloak url,而是必须使用用户名本身。这是示例 yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-rolebinding
subjects:
- kind: User
name: test
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
我正在使用 Keycloak 作为我的 kubernetes 身份提供者。我正在使用 kubelogin 获取令牌。该令牌似乎有效,但我收到以下错误。我认为 ClusterRoleBinding 中存在一些问题,不允许它工作。
- 什么错误
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
附加信息
- Api 清单
- --oidc-issuer-url=https://test1.example.com/auth/realms/kubernetes
- --oidc-username-claim=preferred_username
- --oidc-username-prefix=-
- --oidc-groups-claim=groups
- --oidc-client-id=kubernetes
- --oidc-ca-file=/etc/ssl/certs/ca.crt
- 集群角色和集群角色绑定
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-rolebinding
subjects:
- kind: User
name: //test1.example.com.com/auth/realms/kubernetes#23fd6g03-e03e-450e-8b5d-07b19007c443
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
我是否缺少任何东西才能让它工作?
经过大量挖掘后,我找到了问题所在。我们不必为用户添加 keycloak url,而是必须使用用户名本身。这是示例 yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-rolebinding
subjects:
- kind: User
name: test
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io