用户 "system:serviceaccount:default:flink" 无法在集群范围内列出 API 组“”中的资源 "nodes"

User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope

我正在尝试在一个 k8s pod 中调用 k8s api。但是遇到以下权限问题:

User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope.

在我的 yaml 文件中,我已经指定了 Role & RoleBinding。我在这里想念什么?

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: flink
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: zeppelin-server-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "deployments", "nodes"]
  verbs: ["create", "get", "update", "patch", "list", "delete", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["bind", "create", "get", "update", "patch", "list", "delete", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: zeppelin-server-role-binding
  namespace: default
subjects:
- kind: ServiceAccount
  name: flink
roleRef:
  kind: ClusterRole
  name: zeppelin-server-role
  apiGroup: rbac.authorization.k8s.io

您正在 Kubernetes 上部署 zeppelin-server,对吗?您的带有服务帐户的 yaml 文件看起来不错,但要确保这有效,您应该执行以下步骤:

  • kubectl get clusterrole

你应该得到 zeppelin-server-role 角色。

  • 检查您的帐户“flink”是否绑定到 clusterrole“zeppelin-server-role”

kubectl get clusterrole clusterrolebinding

如果没有,可以通过以下命令创建:

kubectl create clusterrolebinding zeppelin-server-role-binding --clusterrole=zeppelin-server-role --serviceaccount=default:flink

  • 最后,看看你是否真的充当了这个账号:

kubectl get deploy flink-deploy -o yaml

如果您无法从类似输出的内容中看到设置“serviceAccount”和“serviceAccountName”:

...
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
...

然后添加你想让flink使用的账号:

kubectl patch deploy flink-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'