AWS EKS 服务账户集群角色绑定不起作用访问被禁止
AWS EKS Service account cluster role bindings not working access Forbidden
我遇到了 AWS EKS 集群角色的问题,看起来绑定到服务帐户时无法正常工作。
服务帐号
apiVersion: v1
kind: ServiceAccount
metadata:
name: operator
namespace: operator
集群角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: operator
rules:
- apiGroups: [""]
resources: ["secrets", "configmaps", "services", "persistentvolumeclaims", "persistentvolumes", "pods"]
verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]
- apiGroups: ["apps"]
resources: ["statefulsets", "deployments"]
verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses", "volumesnapshotcontents", "volumesnapshots", "volumesnapshotcontents/status", "volumesnapshots/status"]
verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]
ClusterRoleBinding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: operator
subjects:
- kind: ServiceAccount
name: operator
namespace: operator
集群服务器版本:v1.17.6-eks-4e7f64
kubectl get deployments.apps -n operator operator -o yaml | grep service
serviceAccount: operator
serviceAccountName: operator
Python 客户端尝试使用 kubernetes==11.0.0 以及 kubernetes==9.0.0 和 10。在 pods 和其他基本资源上执行操作工作正常。
代码:
api_group = "snapshot.storage.k8s.io"
api_version = "v1beta1"
kind = "VolumeSnapshot"
namespace="default"
label_selector=""
api_response = client.CustomObjectsApi(api_client)\
.list_namespaced_custom_object(api_group, api_version, namespace, kind,
label_selector=label_selector)
错误日志:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/custom_objects_api.py", line 1489, in list_namespaced_custom_object
(data) = self.list_namespaced_custom_object_with_http_info(group, version, namespace, plural, **kwargs) # noqa: E501
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/custom_objects_api.py", line 1595, in list_namespaced_custom_object_with_http_info
return self.api_client.call_api(
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 340, in call_api
return self.__call_api(resource_path, method,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 172, in __call_api
response_data = self.request(
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 362, in request
return self.rest_client.GET(url,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 237, in GET
return self.request("GET", url,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 231, in request
raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '96d8e718-e6a8-45e5-a742-eb35dd65c8f8', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Wed, 29 Jul 2020 09:27:02 GMT', 'Content-Length': '411'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"VolumeSnapshot.snapshot.storage.k8s.io is forbidden: User \"system:serviceaccount:operator:operator\" cannot list resource \"VolumeSnapshot\" in API group \"snapshot.storage.k8s.io\" in the namespace \"default\"","reason":"Forbidden","details":{"group":"snapshot.storage.k8s.io","kind":"VolumeSnapshot"},"code":403}
同时列出部署失败:
config.load_incluster_config()
api_client = client.api_client.ApiClient()
deployments = client.AppsV1beta1Api(api_client)\
.list_namespaced_deployment("default", label_selector="")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/apps_v1beta1_api.py", line 1843, in list_namespaced_deployment
(data) = self.list_namespaced_deployment_with_http_info(namespace, **kwargs) # noqa: E501
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/apps_v1beta1_api.py", line 1931, in list_namespaced_deployment_with_http_info
return self.api_client.call_api(
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 340, in call_api
return self.__call_api(resource_path, method,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 172, in __call_api
response_data = self.request(
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 362, in request
return self.rest_client.GET(url,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 237, in GET
return self.request("GET", url,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 231, in request
raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (404)
Reason: Not Found
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'cc91c8f8-8348-444c-ac61-aa6cd4d14e08', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'Date': 'Wed, 29 Jul 2020 09:26:54 GMT', 'Content-Length': '174'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}
非常感谢任何帮助,我真的被困住了。
我设法找到了解决方案,问题是 kind 是错误的“VolumeSnapshot”,我将其更正为 kind =“volumesnapshots”并成功了。作为结论,我可以说始终使用在集群角色中定义的种类。小写!!!
我遇到了 AWS EKS 集群角色的问题,看起来绑定到服务帐户时无法正常工作。
服务帐号
apiVersion: v1
kind: ServiceAccount
metadata:
name: operator
namespace: operator
集群角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: operator
rules:
- apiGroups: [""]
resources: ["secrets", "configmaps", "services", "persistentvolumeclaims", "persistentvolumes", "pods"]
verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]
- apiGroups: ["apps"]
resources: ["statefulsets", "deployments"]
verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses", "volumesnapshotcontents", "volumesnapshots", "volumesnapshotcontents/status", "volumesnapshots/status"]
verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]
ClusterRoleBinding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: operator
subjects:
- kind: ServiceAccount
name: operator
namespace: operator
集群服务器版本:v1.17.6-eks-4e7f64
kubectl get deployments.apps -n operator operator -o yaml | grep service
serviceAccount: operator
serviceAccountName: operator
Python 客户端尝试使用 kubernetes==11.0.0 以及 kubernetes==9.0.0 和 10。在 pods 和其他基本资源上执行操作工作正常。 代码:
api_group = "snapshot.storage.k8s.io"
api_version = "v1beta1"
kind = "VolumeSnapshot"
namespace="default"
label_selector=""
api_response = client.CustomObjectsApi(api_client)\
.list_namespaced_custom_object(api_group, api_version, namespace, kind,
label_selector=label_selector)
错误日志:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/custom_objects_api.py", line 1489, in list_namespaced_custom_object
(data) = self.list_namespaced_custom_object_with_http_info(group, version, namespace, plural, **kwargs) # noqa: E501
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/custom_objects_api.py", line 1595, in list_namespaced_custom_object_with_http_info
return self.api_client.call_api(
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 340, in call_api
return self.__call_api(resource_path, method,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 172, in __call_api
response_data = self.request(
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 362, in request
return self.rest_client.GET(url,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 237, in GET
return self.request("GET", url,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 231, in request
raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '96d8e718-e6a8-45e5-a742-eb35dd65c8f8', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Wed, 29 Jul 2020 09:27:02 GMT', 'Content-Length': '411'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"VolumeSnapshot.snapshot.storage.k8s.io is forbidden: User \"system:serviceaccount:operator:operator\" cannot list resource \"VolumeSnapshot\" in API group \"snapshot.storage.k8s.io\" in the namespace \"default\"","reason":"Forbidden","details":{"group":"snapshot.storage.k8s.io","kind":"VolumeSnapshot"},"code":403}
同时列出部署失败:
config.load_incluster_config()
api_client = client.api_client.ApiClient()
deployments = client.AppsV1beta1Api(api_client)\
.list_namespaced_deployment("default", label_selector="")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/apps_v1beta1_api.py", line 1843, in list_namespaced_deployment
(data) = self.list_namespaced_deployment_with_http_info(namespace, **kwargs) # noqa: E501
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/apps_v1beta1_api.py", line 1931, in list_namespaced_deployment_with_http_info
return self.api_client.call_api(
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 340, in call_api
return self.__call_api(resource_path, method,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 172, in __call_api
response_data = self.request(
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 362, in request
return self.rest_client.GET(url,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 237, in GET
return self.request("GET", url,
File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 231, in request
raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (404)
Reason: Not Found
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'cc91c8f8-8348-444c-ac61-aa6cd4d14e08', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'Date': 'Wed, 29 Jul 2020 09:26:54 GMT', 'Content-Length': '174'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}
非常感谢任何帮助,我真的被困住了。
我设法找到了解决方案,问题是 kind 是错误的“VolumeSnapshot”,我将其更正为 kind =“volumesnapshots”并成功了。作为结论,我可以说始终使用在集群角色中定义的种类。小写!!!