我在这个 kubernetes RBAC 设置中缺少什么?
What am I missing in this kubernetes RBAC setup?
我想要 运行 一个侦听端点列表更新的 pod(我还没有准备好采用端点集的 alpha 级功能,但我最终会扩展到该功能。)
我有这个代码:
package main
import (
"fmt"
"os"
"os/signal"
"sync"
"syscall"
"k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/cache"
)
func ReadKubeConfig() (*rest.Config, *kubernetes.Clientset, error) {
config, err := rest.InClusterConfig()
if err != nil {
return nil, nil, err
}
clients, err := kubernetes.NewForConfig(config)
if err != nil {
return nil, nil, err
}
return config, clients, nil
}
func main() {
_, cs, err := ReadKubeConfig()
if err != nil {
fmt.Printf("could not create Clientset: %s\n", err)
os.Exit(1)
}
factory := informers.NewSharedInformerFactory(cs, 0)
ifmr := factory.Core().V1().Endpoints().Informer()
stop := make(chan struct{})
ifmr.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: func(next interface{}) {
fmt.Printf("AddFunc(%v)\n", next)
},
UpdateFunc: func(prev, next interface{}) {
fmt.Printf("UpdateFunc(%v, %v)\n", prev, next)
},
DeleteFunc: func(prev interface{}) {
fmt.Printf("DeleteFunc(%v)\n", prev)
},
})
wg := &sync.WaitGroup{}
wg.Add(1)
go func() {
defer runtime.HandleCrash()
ifmr.Run(stop)
wg.Done()
}()
ch := make(chan os.Signal, 1)
signal.Notify(ch, os.Interrupt)
signal.Notify(ch, os.Signal(syscall.SIGTERM))
signal.Notify(ch, os.Signal(syscall.SIGHUP))
sig := <-ch
fmt.Printf("Received signal %s\n", sig)
close(stop)
wg.Wait()
}
我在部署和 运行ning:
时遇到此错误
kubeendpointwatcher.go:55: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:eng:default" cannot list resource "endpoints" in API group "" at the cluster scope
我定义了以下角色和角色绑定并将其部署到“eng”命名空间:
watch_endpoints$ kubectl -n eng get role mesh-endpoint-read -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2021-07-08T19:59:20Z"
name: mesh-endpoint-read
namespace: eng
resourceVersion: "182975428"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/eng/roles/mesh-endpoint-read
uid: fcadcc2a-19d0-4d6e-bee1-78413f51b91b
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
我有以下角色绑定:
watch_endpoints$ kubectl -n eng get rolebinding mesh-endpoint-read -o yaml | sed -e 's/^/ /g'
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2021-07-08T19:59:20Z"
name: mesh-endpoint-read
namespace: eng
resourceVersion: "182977845"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/eng/rolebindings/mesh-endpoint-read
uid: 705a3e50-2a73-47ed-aa62-0ea48f3493ee
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: mesh-endpoint-read
subjects:
- kind: ServiceAccount
name: default
namespace: default
您会注意到我将它应用于名为 default 的 default 命名空间和 eng 命名空间服务帐户,尽管错误消息似乎表明它确实是 [=42] =]在 eng 命名空间的 default 服务帐户中。
我以前使用过按预期工作的 Role 和 RoleBinding 以及 ServiceAccount 对象,所以我不明白为什么这不起作用。我错过了什么?
出于 testing/reproduction 目的,我 运行 通过将内置二进制文件(cgo off)kubectl cp 放入使用 kubectl -n eng create deplpoy 创建的容器中,并使用香草 ubuntu 图像 运行ning /bin/sh -c sleep 999999999,然后在该 pod 容器中执行 /bin/bash shell。
您已经为 eng 命名空间创建了 role 和 rolebinding。但是,根据错误消息:
kubeendpointwatcher.go:55: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:eng:default" cannot list resource "endpoints" in API group "" at the cluster scope
您正在查询“cluster”范围内的端点。尝试将查询限制为 eng 命名空间或使用 clusterrole/clusterbindings
错误信息提示(system:serviceaccount:eng:default)serviceaccount 运行ning in eng namespace, whose name is default does not have permission to query ep 在集群范围内。
要验证此,您可以 运行 两次 curl 调用,首先 exec 使用相同的 sa 进入 pod ] 然后 运行 eng 命名空间的以下内容,稍后在其他命名空间上尝试。
curl -v --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/default/pods
我想要 运行 一个侦听端点列表更新的 pod(我还没有准备好采用端点集的 alpha 级功能,但我最终会扩展到该功能。)
我有这个代码:
package main
import (
"fmt"
"os"
"os/signal"
"sync"
"syscall"
"k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/cache"
)
func ReadKubeConfig() (*rest.Config, *kubernetes.Clientset, error) {
config, err := rest.InClusterConfig()
if err != nil {
return nil, nil, err
}
clients, err := kubernetes.NewForConfig(config)
if err != nil {
return nil, nil, err
}
return config, clients, nil
}
func main() {
_, cs, err := ReadKubeConfig()
if err != nil {
fmt.Printf("could not create Clientset: %s\n", err)
os.Exit(1)
}
factory := informers.NewSharedInformerFactory(cs, 0)
ifmr := factory.Core().V1().Endpoints().Informer()
stop := make(chan struct{})
ifmr.AddEventHandler(cache.ResourceEventHandlerFuncs{
AddFunc: func(next interface{}) {
fmt.Printf("AddFunc(%v)\n", next)
},
UpdateFunc: func(prev, next interface{}) {
fmt.Printf("UpdateFunc(%v, %v)\n", prev, next)
},
DeleteFunc: func(prev interface{}) {
fmt.Printf("DeleteFunc(%v)\n", prev)
},
})
wg := &sync.WaitGroup{}
wg.Add(1)
go func() {
defer runtime.HandleCrash()
ifmr.Run(stop)
wg.Done()
}()
ch := make(chan os.Signal, 1)
signal.Notify(ch, os.Interrupt)
signal.Notify(ch, os.Signal(syscall.SIGTERM))
signal.Notify(ch, os.Signal(syscall.SIGHUP))
sig := <-ch
fmt.Printf("Received signal %s\n", sig)
close(stop)
wg.Wait()
}
我在部署和 运行ning:
时遇到此错误kubeendpointwatcher.go:55: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:eng:default" cannot list resource "endpoints" in API group "" at the cluster scope
我定义了以下角色和角色绑定并将其部署到“eng”命名空间:
watch_endpoints$ kubectl -n eng get role mesh-endpoint-read -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2021-07-08T19:59:20Z"
name: mesh-endpoint-read
namespace: eng
resourceVersion: "182975428"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/eng/roles/mesh-endpoint-read
uid: fcadcc2a-19d0-4d6e-bee1-78413f51b91b
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
我有以下角色绑定:
watch_endpoints$ kubectl -n eng get rolebinding mesh-endpoint-read -o yaml | sed -e 's/^/ /g'
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2021-07-08T19:59:20Z"
name: mesh-endpoint-read
namespace: eng
resourceVersion: "182977845"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/eng/rolebindings/mesh-endpoint-read
uid: 705a3e50-2a73-47ed-aa62-0ea48f3493ee
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: mesh-endpoint-read
subjects:
- kind: ServiceAccount
name: default
namespace: default
您会注意到我将它应用于名为 default 的 default 命名空间和 eng 命名空间服务帐户,尽管错误消息似乎表明它确实是 [=42] =]在 eng 命名空间的 default 服务帐户中。
我以前使用过按预期工作的 Role 和 RoleBinding 以及 ServiceAccount 对象,所以我不明白为什么这不起作用。我错过了什么?
出于 testing/reproduction 目的,我 运行 通过将内置二进制文件(cgo off)kubectl cp 放入使用 kubectl -n eng create deplpoy 创建的容器中,并使用香草 ubuntu 图像 运行ning /bin/sh -c sleep 999999999,然后在该 pod 容器中执行 /bin/bash shell。
您已经为 eng 命名空间创建了 role 和 rolebinding。但是,根据错误消息:
kubeendpointwatcher.go:55: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:eng:default" cannot list resource "endpoints" in API group "" at the cluster scope
您正在查询“cluster”范围内的端点。尝试将查询限制为 eng 命名空间或使用 clusterrole/clusterbindings
错误信息提示(system:serviceaccount:eng:default)serviceaccount 运行ning in eng namespace, whose name is default does not have permission to query ep 在集群范围内。
要验证此,您可以 运行 两次 curl 调用,首先 exec 使用相同的 sa 进入 pod ] 然后 运行 eng 命名空间的以下内容,稍后在其他命名空间上尝试。
curl -v --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/default/pods