无法从 kubernetes 操作员访问资源

Not able to access resource from kubernates operator

当我尝试从测试运算符代码(部署在阶段的 kubernates 运算符)中获取由 assocOperator(部署在阶段级别的 kubernates 运算符)在 testns2 命名空间中创建的资源(测试关联)时,出现以下错误等级) 。有人可以帮助我在这里缺少什么吗?

错误:

io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.17.0.1/apis/tc.secassoc/v1/namespaces/testns2/associations/test-associations. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. associations.tc.secassoc "test-associations" is forbidden: User "system:serviceaccount:test-operator:test-operator" cannot get resource "associations" in API group "tc.secassoc" in the namespace "testns2"

您需要为运营商的服务帐户(即test-operator)添加适当的 RBAC 权限。

如果您已经为运营商的服务帐户创建了 ClusterRoleClusterRoleBinding。确保 ClusterRolerules 部分中存在以下规则:

rules:
- apiGroups: ["tc.secassoc"]
  resources: ["associations"]
  verbs: ["get", "watch", "list"]

如果您不创建任何 RBAC 资源,请创建以下资源:

  1. 创建集群角色:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: associations-reader
rules:
- apiGroups: ["tc.secassoc"]
  resources: ["associations"]
  verbs: ["get", "watch", "list"]
$ kubectl apply -f cluster-role.yaml
  1. 创建集群角色绑定:
$ kubectl create clusterrolebinding associations-reader-pod \
  --clusterrole=associations-reader  \
  --serviceaccount=test-operator:test-operator