无法通过 K8s 读取资源 API
Unable to read resources via K8s API
已更新
我正在尝试通过部署在 K8s 上的 pod 中的 curl 获取资源。
虽然我可以通过 curl 请求获取 pods 的列表,但我不能在配置映射和节点上获取。
这里是我正在使用的角色绑定(为 pods 工作)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test-ro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", “configmaps”]
verbs: ["get","list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-cro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["nodes”]
verbs: ["get","list"]
当我尝试获取节点列表时:
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/nodes
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "nodes is forbidden: User \"system:serviceaccount:test:test\" cannot list resource \"nodes\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "nodes"
},
配置映射相同:
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/configmaps
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "configmaps is forbidden: User \"system:serviceaccount:test:test\" cannot list resource \"configmaps\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"kind": "configmaps"
},
"code": 403
而不是 pods 它正在工作。
可能是什么问题? RoleBinding 配置错误?
要授予 test-ro 角色访问列表 ConfigMap 的权限,必须以复数形式指定资源名称。这可能是列出 Pods 有效但列出 ConfigMaps 无效的原因。所以角色应该这样指定:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test-ro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "configmaps"]
verbs: ["get","list"]
列出节点需要一些不同的配置,因为节点是 cluster-level 资源而不是命名空间资源。 Due to this, the nodes permissions must be given in a ClusterRole.
此外,API url 列出节点没有命名空间。正确的 url 应该是 https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/nodes.
工作 ClusterRole 的示例可能是这样的:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["nodes"]
verbs: ["get","list"]
已更新
我正在尝试通过部署在 K8s 上的 pod 中的 curl 获取资源。
虽然我可以通过 curl 请求获取 pods 的列表,但我不能在配置映射和节点上获取。
这里是我正在使用的角色绑定(为 pods 工作)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test-ro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", “configmaps”]
verbs: ["get","list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-cro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["nodes”]
verbs: ["get","list"]
当我尝试获取节点列表时:
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/nodes
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "nodes is forbidden: User \"system:serviceaccount:test:test\" cannot list resource \"nodes\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "nodes"
},
配置映射相同:
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/configmaps
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "configmaps is forbidden: User \"system:serviceaccount:test:test\" cannot list resource \"configmaps\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"kind": "configmaps"
},
"code": 403
而不是 pods 它正在工作。
可能是什么问题? RoleBinding 配置错误?
要授予 test-ro 角色访问列表 ConfigMap 的权限,必须以复数形式指定资源名称。这可能是列出 Pods 有效但列出 ConfigMaps 无效的原因。所以角色应该这样指定:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test-ro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "configmaps"]
verbs: ["get","list"]
列出节点需要一些不同的配置,因为节点是 cluster-level 资源而不是命名空间资源。 Due to this, the nodes permissions must be given in a ClusterRole.
此外,API url 列出节点没有命名空间。正确的 url 应该是 https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/nodes.
工作 ClusterRole 的示例可能是这样的:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["nodes"]
verbs: ["get","list"]