kubectl - 来自服务器的错误(禁止):用户 "xxx@xxx.it" 被禁止:用户 "system:serviceaccount:gke-connect:connect-agent-sa"

kubectl - Error from server (Forbidden): users "xxx@xxx.it" is forbidden: User "system:serviceaccount:gke-connect:connect-agent-sa"

我有这种奇怪的情况,我该如何解决这个问题?

ubuntu@anth-mgt-wksadmin:~$ kubectl get nodes
error: the server doesn't have a resource type "nodes"

ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
error: the server doesn't have a resource type "services"

ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info dump
Error from server (Forbidden): users "xxx@xxx.it" is forbidden: User system:serviceaccount:gke-connect:connect-agent-sa" cannot impersonate resource "users" in API group "" at the cluster scope

我认为问题是由以下应用搜索将管理员集群连接到 Cloud Console 的方法引起的,但如何回滚?

USER_ACCOUNT=foo@example.com
cat <<EOF > /tmp/impersonate.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gateway-impersonate
rules:
- apiGroups:
  - ""
  resourceNames:
  - ${USER_ACCOUNT}
  resources:
  - users
  verbs:
 - impersonate
 - --
 - apiVersion: rbac.authorization.k8s.io/v1
 - kind: ClusterRoleBinding
metadata:
  name: gateway-impersonate
roleRef:
  kind: ClusterRole
  name: gateway-impersonate
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: connect-agent-sa
  namespace: gke-connect
EOF
# Apply impersonation policy to the cluster.
kubectl apply -f /tmp/impersonate.yaml

我已将 admin.conf 文件从一个管理员集群节点复制到管理员工作站并重命名为 kubeconfig

root@anth-admin-host1:~# cat /etc/kubernetes/admin.conf apiVersion: v1 clusters: