kubectl - 用户 "system:node:anth-admin-host1" 无法列出资源 "events"
kubectl - User "system:node:anth-admin-host1" cannot list resource "events"
我无法将此 ClusterRole 应用到我的管理员集群以添加 rbac.authorization,我已经为我的用户集群使用了相同的 yaml 文件,没有问题。
我是怎么解决这个问题的?
可能是我的 kubeconfig 文件有问题?
ubuntu@anth-mgt-wksadmin:~$ cat cloud-console-reader.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cloud-console-reader
rules:
apiGroups: [""]
resources: ["nodes", "persistentvolumes"]
verbs: ["get", "list", "watch"]
apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
ubuntu@anth-mgt-wksadmin:~$ kubectl apply -f cloud-console-reader.yaml --kubeconfig kubeconfig
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "rbac.authorization.k8s.io/v1, Resource=clusterroles", GroupVersionKind: rbac.authorization.k8s.io/v1, Kind=ClusterRole" Name: "cloud-console-reader", Namespace: ""
from server for: "cloud-console-reader.yaml": clusterroles.rbac.authorization.k8s.io "cloud-console-reader" is forbidden: User "system:node:anth-admin-host1" cannot get resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
ubuntu@anth-mgt-wksadmin:~$ kubectl get nodes --kubeconfig kubeconfig
NAME STATUS ROLES AGE VERSION
anth-admin-host1 Ready control-plane,master 7d4h v1.20.5-gke.1301
anth-admin-host3 Ready 3h50m v1.20.5-gke.1301
anth-admin-host4 Ready 6d7h v1.20.5-gke.1301
anth-admin-host5 Ready 3h48m v1.20.5-gke.1301
ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info dump --kubeconfig kubeconfig |tail -1
Error from server (Forbidden): events is forbidden: User "system:node:anth-admin-host1" cannot list resource "events" in API group "" in the namespace "kube-system"
}
我尝试在我的环境中重新格式化您的 YAML 文件并注意到一些缩进更改可以解决您的错误:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Metadata:
name: cloud-console-reader
rules:
- apiGroups: [""]
resources: ["nodes", "persistentvolumes"]
verbs: ["get", "list", "watch"]
apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
注意事项:
也可以在one liner using kubectl中创建Clusterrole:
kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
-
如果启用了 RBAC 并且部署控制器缺少在部署控制器 pod 中定义的服务帐户。您应该能够通过添加此 SA 及其 Roles/Bindings 轻松缓解此问题。有两种方法可以做到这一点,
您可以使用 simple one liner or YAML 方式创建绑定:
将权限授予名为“root”的用户“cluster-admin”ClusterRole。
kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=root
kubeconfig file can be either from a trusted resource or specially-crafted. Here are some steps to craft a kubeconfig file. There can also be a possibility of merging of kubeconfig files.
问题解决了。
我已将 admin.conf 文件从一个管理员集群节点复制到管理员工作站并重命名为 kubeconfig
root@anth-admin-host1:~# cat /etc/kubernetes/admin.conf
api版本:v1
集群:
一切正常!
我无法将此 ClusterRole 应用到我的管理员集群以添加 rbac.authorization,我已经为我的用户集群使用了相同的 yaml 文件,没有问题。
我是怎么解决这个问题的?
可能是我的 kubeconfig 文件有问题?
ubuntu@anth-mgt-wksadmin:~$ cat cloud-console-reader.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cloud-console-reader
rules:
apiGroups: [""]
resources: ["nodes", "persistentvolumes"]
verbs: ["get", "list", "watch"]
apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
ubuntu@anth-mgt-wksadmin:~$ kubectl apply -f cloud-console-reader.yaml --kubeconfig kubeconfig
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "rbac.authorization.k8s.io/v1, Resource=clusterroles", GroupVersionKind: rbac.authorization.k8s.io/v1, Kind=ClusterRole" Name: "cloud-console-reader", Namespace: ""
from server for: "cloud-console-reader.yaml": clusterroles.rbac.authorization.k8s.io "cloud-console-reader" is forbidden: User "system:node:anth-admin-host1" cannot get resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
ubuntu@anth-mgt-wksadmin:~$ kubectl get nodes --kubeconfig kubeconfig
NAME STATUS ROLES AGE VERSION
anth-admin-host1 Ready control-plane,master 7d4h v1.20.5-gke.1301
anth-admin-host3 Ready 3h50m v1.20.5-gke.1301
anth-admin-host4 Ready 6d7h v1.20.5-gke.1301
anth-admin-host5 Ready 3h48m v1.20.5-gke.1301
ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info dump --kubeconfig kubeconfig |tail -1
Error from server (Forbidden): events is forbidden: User "system:node:anth-admin-host1" cannot list resource "events" in API group "" in the namespace "kube-system"
}
我尝试在我的环境中重新格式化您的 YAML 文件并注意到一些缩进更改可以解决您的错误:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Metadata:
name: cloud-console-reader
rules:
- apiGroups: [""]
resources: ["nodes", "persistentvolumes"]
verbs: ["get", "list", "watch"]
apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
注意事项:
也可以在one liner using kubectl中创建Clusterrole:
kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods如果启用了 RBAC 并且部署控制器缺少在部署控制器 pod 中定义的服务帐户。您应该能够通过添加此 SA 及其 Roles/Bindings 轻松缓解此问题。有两种方法可以做到这一点, 您可以使用 simple one liner or YAML 方式创建绑定:
将权限授予名为“root”的用户“cluster-admin”ClusterRole。
kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=rootkubeconfig file can be either from a trusted resource or specially-crafted. Here are some steps to craft a kubeconfig file. There can also be a possibility of merging of kubeconfig files.
问题解决了。
我已将 admin.conf 文件从一个管理员集群节点复制到管理员工作站并重命名为 kubeconfig
root@anth-admin-host1:~# cat /etc/kubernetes/admin.conf api版本:v1 集群:
一切正常!