尝试使用 kubectl 在 AWS EKS 集群中创建命名空间 - 获取:来自服务器的错误(禁止):禁止命名空间
Trying to create a namespace in an AWS EKS cluster with kubectl - Getting: Error from server (Forbidden): namespaces is forbidden
我正在尝试在 AWS EKS 集群中创建命名空间,但一直出现错误。
我可以使用默认命名空间做任何我想做的事情,但是当我尝试创建一个新的命名空间名称时,我被禁止了。
这一定是我对用户“thera-eks”做错了什么。
也许是角色绑定?
看起来我给了角色访问所有内容的权限,因为在规则中我给了它 * 通配符。
我使用的命令是-
kubectl create namespace ernie
我得到的错误是-
Error from server (Forbidden): namespaces is forbidden: User "thera-eks" cannot create resource "namespaces" in API group "" at the cluster scope
我的role.yaml是:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: full_access
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
我的rolebinding.yaml是:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: full_access_role_binding
subjects:
- kind: User
name: thera-eks
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: full_access
apiGroup: rbac.authorization.k8s.io
aws-auth 配置映射为:
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::9967xxxxxxxx:role/eksctl-ops-nodegroup-linux-ng-sys-NodeInstanceRole-346VJPTOXI7L
username: system:node:{{EC2PrivateDNSName}}
- groups:
- eks-role
- system:master
rolearn: arn:aws:iam::9967xxxxxxxx:role/thera-eks
username: thera-eks
mapUsers: |
- userarn: arn:aws:iam::9967xxxxxxxx:user/test-ecr
username: test-ecr
groups:
- eks-role
角色“thera-eks”的 AWS IAM 权限 JSON 是 -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:*",
"iam:ListRoles",
"sts:AssumeRole"
],
"Resource": "*"
}
]
}
用户“thera-eks”没有创建命名空间的权限。
使用以下命令检查您是否被允许创建命名空间
kubectl auth can-i create namespace
您需要拥有集群级别的权限才能创建命名空间对象。定义 clusterrole 并将用户映射到 clusterrolebindings
@mdaniel 和@PEkambaram 是对的,但我想用 official docs 扩展和支持它以便更好地理解:
An RBAC Role or ClusterRole contains rules that represent a set
of permissions. Permissions are purely additive (there are no "deny"
rules).
A Role always sets permissions within a particular namespace; when
you create a Role, you have to specify the namespace it belongs in.
ClusterRole, by contrast, is a non-namespaced resource. The
resources have different names (Role and ClusterRole) because a
Kubernetes object always has to be either namespaced or not
namespaced; it can't be both.
ClusterRoles have several uses. You can use a ClusterRole to:
define permissions on namespaced resources and be granted within individual namespace(s)
define permissions on namespaced resources and be granted across all namespaces
define permissions on cluster-scoped resources
If you want to define a role within a namespace, use a Role; if you want to define a role cluster-wide, use a ClusterRole.
您还将找到 ClusterRole:
的示例
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
链接的文档将通过示例向您展示所有必要的详细信息,这将有助于理解和设置您的 RBAC。
我正在尝试在 AWS EKS 集群中创建命名空间,但一直出现错误。
我可以使用默认命名空间做任何我想做的事情,但是当我尝试创建一个新的命名空间名称时,我被禁止了。
这一定是我对用户“thera-eks”做错了什么。 也许是角色绑定?
看起来我给了角色访问所有内容的权限,因为在规则中我给了它 * 通配符。
我使用的命令是-
kubectl create namespace ernie
我得到的错误是-
Error from server (Forbidden): namespaces is forbidden: User "thera-eks" cannot create resource "namespaces" in API group "" at the cluster scope
我的role.yaml是:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: full_access
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
我的rolebinding.yaml是:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: full_access_role_binding
subjects:
- kind: User
name: thera-eks
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: full_access
apiGroup: rbac.authorization.k8s.io
aws-auth 配置映射为:
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::9967xxxxxxxx:role/eksctl-ops-nodegroup-linux-ng-sys-NodeInstanceRole-346VJPTOXI7L
username: system:node:{{EC2PrivateDNSName}}
- groups:
- eks-role
- system:master
rolearn: arn:aws:iam::9967xxxxxxxx:role/thera-eks
username: thera-eks
mapUsers: |
- userarn: arn:aws:iam::9967xxxxxxxx:user/test-ecr
username: test-ecr
groups:
- eks-role
角色“thera-eks”的 AWS IAM 权限 JSON 是 -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:*",
"iam:ListRoles",
"sts:AssumeRole"
],
"Resource": "*"
}
]
}
用户“thera-eks”没有创建命名空间的权限。
使用以下命令检查您是否被允许创建命名空间
kubectl auth can-i create namespace
您需要拥有集群级别的权限才能创建命名空间对象。定义 clusterrole 并将用户映射到 clusterrolebindings
@mdaniel 和@PEkambaram 是对的,但我想用 official docs 扩展和支持它以便更好地理解:
An
RBACRoleorClusterRolecontains rules that represent a set of permissions. Permissions are purely additive (there are no "deny" rules).A
Rolealways sets permissions within a particular namespace; when you create aRole, you have to specify the namespace it belongs in.
ClusterRole, by contrast, is a non-namespaced resource. The resources have different names (RoleandClusterRole) because a Kubernetes object always has to be either namespaced or not namespaced; it can't be both.
ClusterRoleshave several uses. You can use aClusterRoleto:
define permissions on namespaced resources and be granted within individual namespace(s)
define permissions on namespaced resources and be granted across all namespaces
define permissions on cluster-scoped resources
If you want to define a role within a namespace, use a
Role; if you want to define a role cluster-wide, use aClusterRole.
您还将找到 ClusterRole:
的示例apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
链接的文档将通过示例向您展示所有必要的详细信息,这将有助于理解和设置您的 RBAC。