无法使用 Kubernetes ServiceAccount 列出或删除 ClusterRole 或 ClusterRoleBinding

Cannot list or delete ClusterRole or ClusterRoleBinding with a Kubernetes ServiceAccount

我想创建一个 Kubernetes CronJob 来删除可能遗留的资源(Namespace、ClusterRole、ClusterRoleBinding)(最初,标准将是“有标签=某物”和“超过 30 分钟”。(每个命名空间都包含用于测试的资源 运行).

我创建了 CronJob、ServiceAccount、ClusterRole、ClusterRoleBinding,并将服务帐户分配给 cronjob 的 pod。

cronjob 使用包含 kubectl 的图像和一些脚本 select 正确的资源。

我的初稿是这样的:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-app
  namespace: default
  labels:
    app: my-app

---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: my-app
  namespace: default
  labels:
    app: my-app
spec:
  concurrencyPolicy: Forbid
  schedule: "*/1 * * * *"
  jobTemplate:
    # job spec
    spec:
      template:
        # pod spec
        spec:
          serviceAccountName: my-app
          restartPolicy: Never
          containers:
          - name: my-app
            image: image-with-kubectl
            env:
            - name: MINIMUM_AGE_MINUTES
              value: '2'
            command: [sh, -c]
            args:
            # final script is more complex than this
            - |
              kubectl get namespaces
              kubectl get clusterroles
              kubectl get clusterrolebindings
              kubectl delete Namespace,ClusterRole,ClusterRoleBinding --all-namespaces --selector=bla=true

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-app
  labels:
    app: my-app
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-app
subjects:
  - kind: ServiceAccount
    name: my-app
    namespace: default
    apiGroup: ""

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: my-app
  labels:
    app: my-app
rules:
  - apiGroups: [""]
    resources:
      - namespaces
      - clusterroles
      - clusterrolebindings
    verbs: [list, delete]

cronjob 能够列出和删除命名空间,但不能列出和删除集群角色或集群角色绑定。我错过了什么?

(实际上,在转到 CronJob 之前,我先用 Job 对此进行了测试):

NAME              STATUS   AGE
cattle-system     Active   16d
default           Active   16d
fleet-system      Active   16d
gitlab-runner     Active   7d6h
ingress-nginx     Active   16d
kube-node-lease   Active   16d
kube-public       Active   16d
kube-system       Active   16d
security-scan     Active   16d
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:default:my-app" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope`

您需要像这样更改您的 ClusterRole :

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: my-app
  labels:
    app: my-app
rules:
  - apiGroups: [""]
    resources:
      - namespaces
    verbs: [list, delete]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources:
      - clusterroles
      - clusterrolebindings
    verbs: [list, delete]

资源现在在正确的 apiGroup 中