在 pod 内扩展 kubernetes 部署 - 权限被拒绝?
Scale kubernetes deployment within a pod - permission denied?
我正在尝试从 pod 中扩大和缩小部署。
为此,我创建了一个服务帐户,使用以下 rbac 进行 clusterrolebinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
namespace: backups-scripts
name: backups-roles
rules:
- apiGroups: [""]
resources:
- pods
verbs:
- get
- list
- delete
- watch
- apiGroups: ["apps","extensions"]
resources:
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- patch
- update
- watch
- scale
使用 auth can-i kube 进行测试时说一切正常:
$ kubectl auth can-i delete deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
no - no RBAC policy matched
$ kubectl auth can-i list deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i scale deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i update deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i patch deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
但是现在在 pod 中执行 kubectl 命令时,出现以下错误:
$ kubectl scale --replicas="$replicas" deployment -n "vm-catalogue" "mysql"
Error from server (Forbidden): deployments.extensions "mysql" is forbidden: User "system:serviceaccount:backups-scripts:backups-sa" cannot get resource "deployments/scale" in API group "extensions" in the namespace "vm-catalogue"
我知道“list”和“get”动词有效,因为我在脚本中提取了这些信息(并且该部分有效)。
所以..我不明白,我错过了什么?
我认为您粘贴的错误消息很好地说明了这一点:
$ kubectl scale --replicas="$replicas" deployment -n "vm-catalogue" "mysql"
Error from server (Forbidden): deployments.extensions "mysql" is forbidden: User "system:serviceaccount:backups-scripts:backups-sa" cannot get resource "deployments/scale" in API group "extensions" in the namespace "vm-catalogue"
无法获取资源“deployments/scale”
根据Kubernetes rbac docs #referring to resources
"要在 RBAC 角色中表示这一点,请使用斜杠 (/) 分隔资源和子资源".
如:
- deployments/scale
- deployments/status
- pods/log
我正在尝试从 pod 中扩大和缩小部署。
为此,我创建了一个服务帐户,使用以下 rbac 进行 clusterrolebinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
namespace: backups-scripts
name: backups-roles
rules:
- apiGroups: [""]
resources:
- pods
verbs:
- get
- list
- delete
- watch
- apiGroups: ["apps","extensions"]
resources:
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- patch
- update
- watch
- scale
使用 auth can-i kube 进行测试时说一切正常:
$ kubectl auth can-i delete deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
no - no RBAC policy matched
$ kubectl auth can-i list deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i scale deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i update deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i patch deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
但是现在在 pod 中执行 kubectl 命令时,出现以下错误:
$ kubectl scale --replicas="$replicas" deployment -n "vm-catalogue" "mysql"
Error from server (Forbidden): deployments.extensions "mysql" is forbidden: User "system:serviceaccount:backups-scripts:backups-sa" cannot get resource "deployments/scale" in API group "extensions" in the namespace "vm-catalogue"
我知道“list”和“get”动词有效,因为我在脚本中提取了这些信息(并且该部分有效)。
所以..我不明白,我错过了什么?
我认为您粘贴的错误消息很好地说明了这一点:
$ kubectl scale --replicas="$replicas" deployment -n "vm-catalogue" "mysql"
Error from server (Forbidden): deployments.extensions "mysql" is forbidden: User "system:serviceaccount:backups-scripts:backups-sa" cannot get resource "deployments/scale" in API group "extensions" in the namespace "vm-catalogue"
无法获取资源“deployments/scale”
根据Kubernetes rbac docs #referring to resources
"要在 RBAC 角色中表示这一点,请使用斜杠 (/) 分隔资源和子资源".
如:
- deployments/scale
- deployments/status
- pods/log