AWS EKS 服务账户集群角色绑定不起作用访问被禁止

AWS EKS Service account cluster role bindings not working access Forbidden

我遇到了 AWS EKS 集群角色的问题,看起来绑定到服务帐户时无法正常工作。

服务帐号

apiVersion: v1
kind: ServiceAccount
metadata:
  name: operator
  namespace: operator

集群角色

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: operator
rules:
  - apiGroups: [""]
    resources: ["secrets", "configmaps", "services", "persistentvolumeclaims", "persistentvolumes", "pods"]
    verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]

  - apiGroups: ["apps"]
    resources: ["statefulsets", "deployments"]
    verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]

  - apiGroups: ["batch"]
    resources: ["cronjobs", "jobs"]
    verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]

  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotclasses", "volumesnapshotcontents", "volumesnapshots", "volumesnapshotcontents/status", "volumesnapshots/status"]
    verbs: ["create", "get", "list", "watch", "delete", "update", "patch"]

ClusterRoleBinding

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: operator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: operator
subjects:
- kind: ServiceAccount
  name: operator
  namespace: operator

集群服务器版本:v1.17.6-eks-4e7f64

kubectl get deployments.apps -n operator operator -o yaml | grep service
  serviceAccount: operator
  serviceAccountName: operator

Python 客户端尝试使用 kubernetes==11.0.0 以及 kubernetes==9.0.0 和 10。在 pods 和其他基本资源上执行操作工作正常。 代码:

api_group = "snapshot.storage.k8s.io"
api_version = "v1beta1"
kind = "VolumeSnapshot"
namespace="default"
label_selector=""
api_response = client.CustomObjectsApi(api_client)\
     .list_namespaced_custom_object(api_group, api_version, namespace, kind,
                                    label_selector=label_selector)

错误日志:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/custom_objects_api.py", line 1489, in list_namespaced_custom_object
    (data) = self.list_namespaced_custom_object_with_http_info(group, version, namespace, plural, **kwargs)  # noqa: E501
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/custom_objects_api.py", line 1595, in list_namespaced_custom_object_with_http_info
    return self.api_client.call_api(
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 340, in call_api
    return self.__call_api(resource_path, method,
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 172, in __call_api
    response_data = self.request(
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 362, in request
    return self.rest_client.GET(url,
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 237, in GET
    return self.request("GET", url,
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 231, in request
    raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '96d8e718-e6a8-45e5-a742-eb35dd65c8f8', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Wed, 29 Jul 2020 09:27:02 GMT', 'Content-Length': '411'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"VolumeSnapshot.snapshot.storage.k8s.io is forbidden: User \"system:serviceaccount:operator:operator\" cannot list resource \"VolumeSnapshot\" in API group \"snapshot.storage.k8s.io\" in the namespace \"default\"","reason":"Forbidden","details":{"group":"snapshot.storage.k8s.io","kind":"VolumeSnapshot"},"code":403}

同时列出部署失败:

config.load_incluster_config()
api_client = client.api_client.ApiClient()
deployments = client.AppsV1beta1Api(api_client)\
     .list_namespaced_deployment("default", label_selector="")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/apps_v1beta1_api.py", line 1843, in list_namespaced_deployment
    (data) = self.list_namespaced_deployment_with_http_info(namespace, **kwargs)  # noqa: E501
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api/apps_v1beta1_api.py", line 1931, in list_namespaced_deployment_with_http_info
    return self.api_client.call_api(
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 340, in call_api
    return self.__call_api(resource_path, method,
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 172, in __call_api
    response_data = self.request(
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/api_client.py", line 362, in request
    return self.rest_client.GET(url,
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 237, in GET
    return self.request("GET", url,
  File "/usr/local/lib/python3.8/site-packages/kubernetes/client/rest.py", line 231, in request
    raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (404)
Reason: Not Found
HTTP response headers: HTTPHeaderDict({'Audit-Id': 'cc91c8f8-8348-444c-ac61-aa6cd4d14e08', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'Date': 'Wed, 29 Jul 2020 09:26:54 GMT', 'Content-Length': '174'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

非常感谢任何帮助,我真的被困住了。

我设法找到了解决方案,问题是 kind 是错误的“VolumeSnapshot”,我将其更正为 kind =“volumesnapshots”并成功了。作为结论,我可以说始终使用在集群角色中定义的种类。小写!!!