无法从 kubernetes 操作员访问资源
Not able to access resource from kubernates operator
当我尝试从测试运算符代码(部署在阶段的 kubernates 运算符)中获取由 assocOperator(部署在阶段级别的 kubernates 运算符)在 testns2 命名空间中创建的资源(测试关联)时,出现以下错误等级) 。有人可以帮助我在这里缺少什么吗?
错误:
io.fabric8.kubernetes.client.KubernetesClientException: Failure
executing: GET at:
https://172.17.0.1/apis/tc.secassoc/v1/namespaces/testns2/associations/test-associations.
Message: Forbidden!Configured service account doesn't have access.
Service account may have been revoked. associations.tc.secassoc
"test-associations" is forbidden: User
"system:serviceaccount:test-operator:test-operator" cannot get
resource "associations" in API group "tc.secassoc" in the
namespace "testns2"
您需要为运营商的服务帐户(即test-operator)添加适当的 RBAC 权限。
如果您已经为运营商的服务帐户创建了 ClusterRole 和 ClusterRoleBinding。确保 ClusterRole 的 rules 部分中存在以下规则:
rules:
- apiGroups: ["tc.secassoc"]
resources: ["associations"]
verbs: ["get", "watch", "list"]
如果您不创建任何 RBAC 资源,请创建以下资源:
- 创建集群角色:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: associations-reader
rules:
- apiGroups: ["tc.secassoc"]
resources: ["associations"]
verbs: ["get", "watch", "list"]
$ kubectl apply -f cluster-role.yaml
- 创建集群角色绑定:
$ kubectl create clusterrolebinding associations-reader-pod \
--clusterrole=associations-reader \
--serviceaccount=test-operator:test-operator
当我尝试从测试运算符代码(部署在阶段的 kubernates 运算符)中获取由 assocOperator(部署在阶段级别的 kubernates 运算符)在 testns2 命名空间中创建的资源(测试关联)时,出现以下错误等级) 。有人可以帮助我在这里缺少什么吗?
错误:
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.17.0.1/apis/tc.secassoc/v1/namespaces/testns2/associations/test-associations. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. associations.tc.secassoc "test-associations" is forbidden: User "system:serviceaccount:test-operator:test-operator" cannot get resource "associations" in API group "tc.secassoc" in the namespace "testns2"
您需要为运营商的服务帐户(即test-operator)添加适当的 RBAC 权限。
如果您已经为运营商的服务帐户创建了 ClusterRole 和 ClusterRoleBinding。确保 ClusterRole 的 rules 部分中存在以下规则:
rules:
- apiGroups: ["tc.secassoc"]
resources: ["associations"]
verbs: ["get", "watch", "list"]
如果您不创建任何 RBAC 资源,请创建以下资源:
- 创建集群角色:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: associations-reader
rules:
- apiGroups: ["tc.secassoc"]
resources: ["associations"]
verbs: ["get", "watch", "list"]
$ kubectl apply -f cluster-role.yaml
- 创建集群角色绑定:
$ kubectl create clusterrolebinding associations-reader-pod \
--clusterrole=associations-reader \
--serviceaccount=test-operator:test-operator