我在这个 kubernetes RBAC 设置中缺少什么?

What am I missing in this kubernetes RBAC setup?

我想要 运行 一个侦听端点列表更新的 pod(我还没有准备好采用端点集的 alpha 级功能,但我最终会扩展到该功能。)

我有这个代码:

package main

import (
    "fmt"
    "os"
    "os/signal"
    "sync"
    "syscall"

    "k8s.io/apimachinery/pkg/util/runtime"
    "k8s.io/client-go/informers"
    "k8s.io/client-go/kubernetes"
    "k8s.io/client-go/rest"
    "k8s.io/client-go/tools/cache"
)

func ReadKubeConfig() (*rest.Config, *kubernetes.Clientset, error) {
    config, err := rest.InClusterConfig()
    if err != nil {
            return nil, nil, err
    }
    clients, err := kubernetes.NewForConfig(config)
    if err != nil {
            return nil, nil, err
    }
    return config, clients, nil
}

func main() {
    _, cs, err := ReadKubeConfig()
    if err != nil {
            fmt.Printf("could not create Clientset: %s\n", err)
            os.Exit(1)
    }
    factory := informers.NewSharedInformerFactory(cs, 0)
    ifmr := factory.Core().V1().Endpoints().Informer()
    stop := make(chan struct{})
    ifmr.AddEventHandler(cache.ResourceEventHandlerFuncs{
            AddFunc: func(next interface{}) {
                    fmt.Printf("AddFunc(%v)\n", next)
            },
            UpdateFunc: func(prev, next interface{}) {
                    fmt.Printf("UpdateFunc(%v, %v)\n", prev, next)
            },
            DeleteFunc: func(prev interface{}) {
                    fmt.Printf("DeleteFunc(%v)\n", prev)
            },
    })
    wg := &sync.WaitGroup{}
    wg.Add(1)
    go func() {
            defer runtime.HandleCrash()
            ifmr.Run(stop)
            wg.Done()
    }()
    ch := make(chan os.Signal, 1)
    signal.Notify(ch, os.Interrupt)
    signal.Notify(ch, os.Signal(syscall.SIGTERM))
    signal.Notify(ch, os.Signal(syscall.SIGHUP))
    sig := <-ch
    fmt.Printf("Received signal %s\n", sig)
    close(stop)
    wg.Wait()
}

我在部署和 运行ning:

时遇到此错误
kubeendpointwatcher.go:55: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:eng:default" cannot list resource "endpoints" in API group "" at the cluster scope

我定义了以下角色和角色绑定并将其部署到“eng”命名空间:

watch_endpoints$ kubectl -n eng get role mesh-endpoint-read -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2021-07-08T19:59:20Z"
  name: mesh-endpoint-read
  namespace: eng
  resourceVersion: "182975428"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/eng/roles/mesh-endpoint-read
  uid: fcadcc2a-19d0-4d6e-bee1-78413f51b91b
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get
  - list
  - watch

我有以下角色绑定:

watch_endpoints$ kubectl -n eng get rolebinding mesh-endpoint-read -o yaml | sed -e 's/^/    /g'

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-07-08T19:59:20Z"
  name: mesh-endpoint-read
  namespace: eng
  resourceVersion: "182977845"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/eng/rolebindings/mesh-endpoint-read
  uid: 705a3e50-2a73-47ed-aa62-0ea48f3493ee
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: mesh-endpoint-read
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

您会注意到我将它应用于名为 defaultdefault 命名空间和 eng 命名空间服务帐户,尽管错误消息似乎表明它确实是 [=42] =]在 eng 命名空间的 default 服务帐户中。

我以前使用过按预期工作的 Role 和 RoleBinding 以及 ServiceAccount 对象,所以我不明白为什么这不起作用。我错过了什么?

出于 testing/reproduction 目的,我 运行 通过将内置二进制文件(cgo off)kubectl cp 放入使用 kubectl -n eng create deplpoy 创建的容器中,并使用香草 ubuntu 图像 运行ning /bin/sh -c sleep 999999999,然后在该 pod 容器中执行 /bin/bash shell。

您已经为 eng 命名空间创建了 rolerolebinding。但是,根据错误消息:

kubeendpointwatcher.go:55: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:eng:default" cannot list resource "endpoints" in API group "" at the cluster scope

您正在查询“cluster”范围内的端点。尝试将查询限制为 eng 命名空间或使用 clusterrole/clusterbindings

错误信息提示(system:serviceaccount:eng:default)serviceaccount 运行ning in eng namespace, whose name is default does not have permission to query ep 在集群范围内。

要验证此,您可以 运行 两次 curl 调用,首先 exec 使用相同的 sa 进入 pod ] 然后 运行 eng 命名空间的以下内容,稍后在其他命名空间上尝试。

curl -v --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/default/pods