用户 "system:serviceaccount:default:flink" 无法在集群范围内列出 API 组“”中的资源 "nodes"
User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope
我正在尝试在一个 k8s pod 中调用 k8s api。但是遇到以下权限问题:
User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope.
在我的 yaml 文件中,我已经指定了 Role & RoleBinding。我在这里想念什么?
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flink
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: zeppelin-server-role
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "deployments", "nodes"]
verbs: ["create", "get", "update", "patch", "list", "delete", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["bind", "create", "get", "update", "patch", "list", "delete", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: zeppelin-server-role-binding
namespace: default
subjects:
- kind: ServiceAccount
name: flink
roleRef:
kind: ClusterRole
name: zeppelin-server-role
apiGroup: rbac.authorization.k8s.io
您正在 Kubernetes 上部署 zeppelin-server,对吗?您的带有服务帐户的 yaml 文件看起来不错,但要确保这有效,您应该执行以下步骤:
kubectl get clusterrole
你应该得到 zeppelin-server-role 角色。
- 检查您的帐户“flink”是否绑定到 clusterrole“zeppelin-server-role”
kubectl get clusterrole clusterrolebinding
如果没有,可以通过以下命令创建:
kubectl create clusterrolebinding zeppelin-server-role-binding --clusterrole=zeppelin-server-role --serviceaccount=default:flink
- 最后,看看你是否真的充当了这个账号:
kubectl get deploy flink-deploy -o yaml
如果您无法从类似输出的内容中看到设置“serviceAccount”和“serviceAccountName”:
...
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
...
然后添加你想让flink使用的账号:
kubectl patch deploy flink-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
我正在尝试在一个 k8s pod 中调用 k8s api。但是遇到以下权限问题:
User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope.
在我的 yaml 文件中,我已经指定了 Role & RoleBinding。我在这里想念什么?
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flink
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: zeppelin-server-role
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "deployments", "nodes"]
verbs: ["create", "get", "update", "patch", "list", "delete", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["bind", "create", "get", "update", "patch", "list", "delete", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: zeppelin-server-role-binding
namespace: default
subjects:
- kind: ServiceAccount
name: flink
roleRef:
kind: ClusterRole
name: zeppelin-server-role
apiGroup: rbac.authorization.k8s.io
您正在 Kubernetes 上部署 zeppelin-server,对吗?您的带有服务帐户的 yaml 文件看起来不错,但要确保这有效,您应该执行以下步骤:
kubectl get clusterrole
你应该得到 zeppelin-server-role 角色。
- 检查您的帐户“flink”是否绑定到 clusterrole“zeppelin-server-role”
kubectl get clusterrole clusterrolebinding
如果没有,可以通过以下命令创建:
kubectl create clusterrolebinding zeppelin-server-role-binding --clusterrole=zeppelin-server-role --serviceaccount=default:flink
- 最后,看看你是否真的充当了这个账号:
kubectl get deploy flink-deploy -o yaml
如果您无法从类似输出的内容中看到设置“serviceAccount”和“serviceAccountName”:
...
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
...
然后添加你想让flink使用的账号:
kubectl patch deploy flink-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'