我有 RBAC 问题,但我测试的一切似乎都正常?

I have an RBAC problem, but everything I test seems ok?

这是此处描述的问题的延续 ()

我做了更多的测试,但仍然不明白这个错误

Error from server (Forbidden): pods is forbidden: User "dma" cannot list resource "pods" in API group "" at the cluster scope

更新:这是来自 API 服务器

的另一个提示
watch chan error: etcdserver: mvcc: required revision has been compacted

我找到了这个帖子,但我在当前的 kubernetes 中工作

我的用户存在

NAME   AGE   SIGNERNAME                            REQUESTOR          REQUESTEDDURATION   CONDITION
dma    77m   kubernetes.io/kube-apiserver-client   kubernetes-admin   <none>              Approved,Issued

集群角色存在

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"kubelet-runtime"},"rules":[{"apiGroups":["","extensions","apps","argoproj.io","workflows.argoproj.io","events.argoproj.io","coordination.k8s.io"],"resources":["*"],"verbs":["*"]},{"apiGroups":["batch"],"resources":["jobs","cronjobs"],"verbs":["*"]}]}
  creationTimestamp: "2021-12-16T00:24:56Z"
  name: kubelet-runtime
  resourceVersion: "296716"
  uid: a4697d6e-c786-4ec9-bf3e-88e3dbfdb6d9
rules:
- apiGroups:
  - ""
  - extensions
  - apps
  - argoproj.io
  - workflows.argoproj.io
  - events.argoproj.io
  - coordination.k8s.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - '*'

沙盒命名空间存在

NAME      STATUS   AGE
sandbox   Active   6d6h

我的用户有权在 kubelet 集群和命名空间“sandbox”中操作

{
    "apiVersion": "rbac.authorization.k8s.io/v1",
    "kind": "ClusterRoleBinding",
    "metadata": {
        "annotations": {
            "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"ClusterRoleBinding\",\"metadata\":{\"annotations\":{},\"name\":\"dma-kubelet-binding\"},\"roleRef\":{\"apiGroup\":\"rbac.authorization.k8s.io\",\"kind\":\"ClusterRole\",\"name\":\"kubelet-runtime\"},\"subjects\":[{\"kind\":\"ServiceAccount\",\"name\":\"dma\",\"namespace\":\"argo\"},{\"kind\":\"ServiceAccount\",\"name\":\"dma\",\"namespace\":\"argo-events\"},{\"kind\":\"ServiceAccount\",\"name\":\"dma\",\"namespace\":\"sandbox\"}]}\n"
        },
        "creationTimestamp": "2021-12-16T00:25:42Z",
        "name": "dma-kubelet-binding",
        "resourceVersion": "371397",
        "uid": "a2fb6d5b-8dba-4320-af74-71caac7bdc39"
    },
    "roleRef": {
        "apiGroup": "rbac.authorization.k8s.io",
        "kind": "ClusterRole",
        "name": "kubelet-runtime"
    },
    "subjects": [
        {
            "kind": "ServiceAccount",
            "name": "dma",
            "namespace": "argo"
        },
        {
            "kind": "ServiceAccount",
            "name": "dma",
            "namespace": "argo-events"
        },
        {
            "kind": "ServiceAccount",
            "name": "dma",
            "namespace": "sandbox"
        }
    ]
}

我的用户拥有正确的权限

{
    "apiVersion": "rbac.authorization.k8s.io/v1",
    "kind": "Role",
    "metadata": {
        "annotations": {
            "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"dma\",\"namespace\":\"sandbox\"},\"rules\":[{\"apiGroups\":[\"\",\"apps\",\"autoscaling\",\"batch\",\"extensions\",\"policy\",\"rbac.authorization.k8s.io\",\"argoproj.io\",\"workflows.argoproj.io\"],\"resources\":[\"pods\",\"configmaps\",\"deployments\",\"events\",\"pods\",\"persistentvolumes\",\"persistentvolumeclaims\",\"services\",\"workflows\"],\"verbs\":[\"get\",\"list\",\"watch\",\"create\",\"update\",\"patch\",\"delete\"]}]}\n"
        },
        "creationTimestamp": "2021-12-21T19:41:38Z",
        "name": "dma",
        "namespace": "sandbox",
        "resourceVersion": "1058387",
        "uid": "94191881-895d-4457-9764-5db9b54cdb3f"
    },
    "rules": [
        {
            "apiGroups": [
                "",
                "apps",
                "autoscaling",
                "batch",
                "extensions",
                "policy",
                "rbac.authorization.k8s.io",
                "argoproj.io",
                "workflows.argoproj.io"
            ],
            "resources": [
                "pods",
                "configmaps",
                "deployments",
                "events",
                "pods",
                "persistentvolumes",
                "persistentvolumeclaims",
                "services",
                "workflows"
            ],
            "verbs": [
                "get",
                "list",
                "watch",
                "create",
                "update",
                "patch",
                "delete"
            ]
        }
    ]
}

我的用户已在所有节点上正确配置

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://206.81.25.186:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: dma
  name: dma@kubernetes
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: dma
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

基于这个网站,我一直在寻找观看活动。

我认为已经重建了控制平面之上的所有内容,但问题仍然存在。

下一步将是重建整个集群,但找到实际问题会更令人满意。

请帮忙。

修复: 所以沙箱命名空间的策略是错误的。我解决了这个问题,问题消失了!

我想终于理解了 RBAC(策略和所有)。非常感谢 Kubernetes 松弛频道的成员。 These 政策已通过 Argo 工作流开发环境(“沙箱”)的第一组测试。仍在测试中。

policies.yaml 文件:

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev
  namespace: sandbox
rules:
  - apiGroups:
      - "*"
    attributeRestrictions: null
    resources: ["*"]    
    verbs:
      - get
      - watch
      - list
  - apiGroups: ["argoproj.io", "workflows.argoproj.io", "events.argoprpj.io"] 
    attributeRestrictions: null
    resources:
      - pods
      - configmaps
      - deployments
      - events
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - services
      - workflows
      - eventbus
      - eventsource
      - sensor
    verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dma-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev
subjects:
- kind: User
  name: dma
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dma-admin
subjects:
- kind: User
  name: dma
  namespace: sandbox
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: access-nginx
  namespace: sandbox
spec:
  podSelector:
    matchLabels:
      app: nginx
  ingress:
    - from:
      - podSelector:
          matchLabels:
            run: access
...