kubectl - 来自服务器的错误(禁止):用户 "xxx@xxx.it" 被禁止:用户 "system:serviceaccount:gke-connect:connect-agent-sa"
kubectl - Error from server (Forbidden): users "xxx@xxx.it" is forbidden: User "system:serviceaccount:gke-connect:connect-agent-sa"
我有这种奇怪的情况,我该如何解决这个问题?
ubuntu@anth-mgt-wksadmin:~$ kubectl get nodes
error: the server doesn't have a resource type "nodes"
ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
error: the server doesn't have a resource type "services"
ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info dump
Error from server (Forbidden): users "xxx@xxx.it" is forbidden: User system:serviceaccount:gke-connect:connect-agent-sa" cannot impersonate resource "users" in API group "" at the cluster scope
我认为问题是由以下应用搜索将管理员集群连接到 Cloud Console 的方法引起的,但如何回滚?
USER_ACCOUNT=foo@example.com
cat <<EOF > /tmp/impersonate.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gateway-impersonate
rules:
- apiGroups:
- ""
resourceNames:
- ${USER_ACCOUNT}
resources:
- users
verbs:
- impersonate
- --
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
metadata:
name: gateway-impersonate
roleRef:
kind: ClusterRole
name: gateway-impersonate
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
EOF
# Apply impersonation policy to the cluster.
kubectl apply -f /tmp/impersonate.yaml
我已将 admin.conf 文件从一个管理员集群节点复制到管理员工作站并重命名为 kubeconfig
root@anth-admin-host1:~# cat /etc/kubernetes/admin.conf apiVersion: v1 clusters:
我有这种奇怪的情况,我该如何解决这个问题?
ubuntu@anth-mgt-wksadmin:~$ kubectl get nodes
error: the server doesn't have a resource type "nodes"
ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
error: the server doesn't have a resource type "services"
ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info dump
Error from server (Forbidden): users "xxx@xxx.it" is forbidden: User system:serviceaccount:gke-connect:connect-agent-sa" cannot impersonate resource "users" in API group "" at the cluster scope
我认为问题是由以下应用搜索将管理员集群连接到 Cloud Console 的方法引起的,但如何回滚?
USER_ACCOUNT=foo@example.com
cat <<EOF > /tmp/impersonate.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gateway-impersonate
rules:
- apiGroups:
- ""
resourceNames:
- ${USER_ACCOUNT}
resources:
- users
verbs:
- impersonate
- --
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
metadata:
name: gateway-impersonate
roleRef:
kind: ClusterRole
name: gateway-impersonate
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: connect-agent-sa
namespace: gke-connect
EOF
# Apply impersonation policy to the cluster.
kubectl apply -f /tmp/impersonate.yaml
我已将 admin.conf 文件从一个管理员集群节点复制到管理员工作站并重命名为 kubeconfig
root@anth-admin-host1:~# cat /etc/kubernetes/admin.conf apiVersion: v1 clusters: