K8S - RoleBinding - 无法从服务帐户 cert-manager-webhook-ovh 访问机密
K8S - RoleBinding - Unable to access secrets from service account cert-manager-webhook-ovh
我想使用 cert-manager OVH's webhook 来交付 https 通配符证书,但我仍然无法弄清楚为什么 cert-manager 无法访问 OVH 凭据秘密(需要创建 DNS进入 OVH)
已在 default 命名空间上创建 ovh-credentials 秘密
证书管理器在 cert-manager 命名空间中,cert-manager-webhook-ovh 在 default 命名空间中
我有一个 ClusterIssuer 正在调用 cert-manager-webhook-ovh
我定义了一个cert-manager-webhook-ovh:secret-readerClusterRole
以及 cert-manager-webhook-ovh 服务帐户和
之间的 ClusterRole 绑定
cert-manager-webhook-ovh:secret-readerClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-webhook-ovh:secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["ovh-credentials"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-webhook-ovh:secret-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook-ovh:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-ovh
namespace: cert-manager
这是我的 pods
➜ alaya-studio git:(main) ✗ kubectl get pods --namespace=cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-6588898cb4-nfn7p 1/1 Running 1 27d
cert-manager-cainjector-7bcbdbd99f-tgllj 1/1 Running 5 27d
cert-manager-webhook-5fd9f9dd86-csjzq 1/1 Running 0 27d
➜ alaya-studio git:(main) ✗ kubectl get pods
NAME READY STATUS RESTARTS AGE
cert-manager-webhook-ovh-77f9c7cc7b-xfdfx 1/1 Running 4 15d
express-59df84c766-8wjxw 1/1 Running 0 27d
express-59df84c766-l4cf8 1/1 Running 0 27d
express-59df84c766-w6hbt 1/1 Running 0 27d
ngingress-ingress-nginx-controller-5586599f89-5fsgn 1/1 Running 0 28d
创建挑战时出现此错误
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 9s cert-manager Challenge scheduled for processing
Warning PresentError 5s (x3 over 7s) cert-manager Error presenting challenge: secrets "ovh-credentials" is forbidden: User "system:serviceaccount:default:cert-manager-webhook-ovh" cannot get resource "secrets" in API group "" in the namespace "cert-manager"
错误消息指示 default 命名空间的 ServiceAccount cert-manager-webhook-ovh。您已授予 cert-manager 命名空间的 ServiceAccount 权限。
secrets "ovh-credentials" is forbidden: User "system:serviceaccount:default:cert-manager-webhook-ovh" cannot get resource "secrets" in API group "" in the namespace "cert-manager"
我想使用 cert-manager OVH's webhook 来交付 https 通配符证书,但我仍然无法弄清楚为什么 cert-manager 无法访问 OVH 凭据秘密(需要创建 DNS进入 OVH)
已在 default 命名空间上创建 ovh-credentials 秘密
证书管理器在 cert-manager 命名空间中,cert-manager-webhook-ovh 在 default 命名空间中
我有一个 ClusterIssuer 正在调用 cert-manager-webhook-ovh
我定义了一个cert-manager-webhook-ovh:secret-readerClusterRole
以及 cert-manager-webhook-ovh 服务帐户和
ClusterRole 绑定
cert-manager-webhook-ovh:secret-readerClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-webhook-ovh:secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["ovh-credentials"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-webhook-ovh:secret-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-webhook-ovh:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-ovh
namespace: cert-manager
这是我的 pods
➜ alaya-studio git:(main) ✗ kubectl get pods --namespace=cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-6588898cb4-nfn7p 1/1 Running 1 27d
cert-manager-cainjector-7bcbdbd99f-tgllj 1/1 Running 5 27d
cert-manager-webhook-5fd9f9dd86-csjzq 1/1 Running 0 27d
➜ alaya-studio git:(main) ✗ kubectl get pods
NAME READY STATUS RESTARTS AGE
cert-manager-webhook-ovh-77f9c7cc7b-xfdfx 1/1 Running 4 15d
express-59df84c766-8wjxw 1/1 Running 0 27d
express-59df84c766-l4cf8 1/1 Running 0 27d
express-59df84c766-w6hbt 1/1 Running 0 27d
ngingress-ingress-nginx-controller-5586599f89-5fsgn 1/1 Running 0 28d
创建挑战时出现此错误
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 9s cert-manager Challenge scheduled for processing
Warning PresentError 5s (x3 over 7s) cert-manager Error presenting challenge: secrets "ovh-credentials" is forbidden: User "system:serviceaccount:default:cert-manager-webhook-ovh" cannot get resource "secrets" in API group "" in the namespace "cert-manager"
错误消息指示 default 命名空间的 ServiceAccount cert-manager-webhook-ovh。您已授予 cert-manager 命名空间的 ServiceAccount 权限。
secrets "ovh-credentials" is forbidden: User "system:serviceaccount:default:cert-manager-webhook-ovh" cannot get resource "secrets" in API group "" in the namespace "cert-manager"