为什么 pods 运行 具有所需权限的服务帐户无法列出 pods?
Why the pods running with a service account with needed permissions cannot list pods?
我在命名空间 xyz 中创建了一个服务帐户“serviceacc”,并授予它所需的权限。然而它无法列出 pods。这是我遵循的步骤。
$kubectl create namespace xyz
$kubectl apply -f objects.yaml
其中内容objects.yaml
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: xyz
name: listpodser
rules:
- apiGroups: [""]
resources: ["pod"]
verbs: ["get", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: xyz
name: service-listpodser
subjects:
- kind: ServiceAccount
name: serviceacc
apiGroup: ""
roleRef:
kind: Role
name: listpodser
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: serviceacc
namespace: xyz
然后我检查了服务帐户是否有权限列出 pods:
$ kubectl auth can-i get pods --namespace xyz --as system:serviceaccount:xyz:serviceacc
no
$ kubectl auth can-i list pods --namespace xyz --as system:serviceaccount:xyz:serviceacc
no
从上面命令的输出可以看出,它不能get/list pods.
简单的命名混乱。在资源列表中使用 pods 而不是 pod。
您可以通过这种方式更简单、更轻松:
kubectl create sa serviceacc -n xyz
kubectl create role listpodser --verb=get,list --resource=po -n xyz
kubectl create -n xyz rolebinding service-listpodser --role=listpodser --serviceaccount=xyz:serviceacc
Note the short name for pods is accepted here po, you can use the short name for any api object
short names: If you need to list the short names for all objects, run this command kubectl apu-resources, the same way you can use the short name for other objects.e.g. pv instead of persistentvolume.
这样你就可以将这三行代码写成一个shell脚本来一次创建所有内容
我在命名空间 xyz 中创建了一个服务帐户“serviceacc”,并授予它所需的权限。然而它无法列出 pods。这是我遵循的步骤。
$kubectl create namespace xyz
$kubectl apply -f objects.yaml
其中内容objects.yaml
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: xyz
name: listpodser
rules:
- apiGroups: [""]
resources: ["pod"]
verbs: ["get", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: xyz
name: service-listpodser
subjects:
- kind: ServiceAccount
name: serviceacc
apiGroup: ""
roleRef:
kind: Role
name: listpodser
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: serviceacc
namespace: xyz
然后我检查了服务帐户是否有权限列出 pods:
$ kubectl auth can-i get pods --namespace xyz --as system:serviceaccount:xyz:serviceacc
no
$ kubectl auth can-i list pods --namespace xyz --as system:serviceaccount:xyz:serviceacc
no
从上面命令的输出可以看出,它不能get/list pods.
简单的命名混乱。在资源列表中使用 pods 而不是 pod。
您可以通过这种方式更简单、更轻松:
kubectl create sa serviceacc -n xyz
kubectl create role listpodser --verb=get,list --resource=po -n xyz
kubectl create -n xyz rolebinding service-listpodser --role=listpodser --serviceaccount=xyz:serviceacc
Note the short name for pods is accepted here
po, you can use the short name for any api object
short names: If you need to list the short names for all objects, run this command
kubectl apu-resources, the same way you can use the short name for other objects.e.g. pv instead of persistentvolume.
这样你就可以将这三行代码写成一个shell脚本来一次创建所有内容