Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/kubernetes/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Amazon web services 403尝试发送时禁止";readJob“;从EKS容器内到K8S的API_Amazon Web Services_Kubernetes_Amazon Eks - Fatal编程技术网
Fatal编程技术网
  • amazon-web-services/
  • Amazon web services 403尝试发送时禁止";readJob“;从EKS容器内到K8S的API

Amazon web services 403尝试发送时禁止";readJob“;从EKS容器内到K8S的API

amazon-web-services kubernetes

Amazon web services 403尝试发送时禁止";readJob“;从EKS容器内到K8S的API,amazon-web-services,kubernetes,amazon-eks,Amazon Web Services,Kubernetes,Amazon Eks,我有一个在EKS容器中运行的Java代码。代码从AmazonEC2实例元数据服务(software.Amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider#create)获取AWS凭据 代码试图在运行它的EKS上调用get/read作业API,但收到403禁止的错误 如何允许代码调用K8SAPI 我得到的答复是: {"kind":"Status","apiVersion&

我有一个在EKS容器中运行的Java代码。代码从AmazonEC2实例元数据服务(software.Amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider#create)获取AWS凭据

代码试图在运行它的EKS上调用get/read作业API,但收到403禁止的错误

如何允许代码调用K8SAPI

我得到的答复是:

{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch \"my-k8s-job\" is forbidden: User \"system:node:ip-10-176-13-105.eu-central-1.compute.internal\" cannot get resource \"jobs\" in API group \"batch\" in the namespace \"default\"","reason":"Forbidden","details":{"name":"my-k8s-job","group":"batch","kind":"jobs"},"code":403}

                ... 38 more
        Caused by: io.kubernetes.client.openapi.ApiException:
                at io.kubernetes.client.openapi.ApiClient.handleResponse(ApiClient.java:973) ~[client-java-api-12.0.0.jar:?]
                at io.kubernetes.client.openapi.ApiClient.execute(ApiClient.java:885) ~[client-java-api-12.0.0.jar:?]
                at io.kubernetes.client.openapi.apis.BatchV1Api.readNamespacedJobWithHttpInfo(BatchV1Api.java:3010) ~[client-java-api-12.0.0.jar:?]
                at io.kubernetes.client.openapi.apis.BatchV1Api.readNamespacedJob(BatchV1Api.java:2980) ~[client-java-api-12.0.0.jar:?]
...
谢谢。

一旦您将某个应用程序部署到Kubernetes集群中,它就会将服务帐户令牌作为卷添加到您的pod中。它将使您能够在pod内使用kubernetes API

您可以运行
kubectl descripe pod
命令来获取pod的描述。在volumes部分,您将找到机密,它是为特定命名空间中的ServiceAccount自动创建的(请参阅下面的日志)

显然,您的pod将拥有与您的ServiceAccount相同的权限数

通过角色绑定(ClusterRoleBinding)与特定角色(ClusterRole)绑定的ServiceAccount

同时,角色(或ClusterRole)是您可能希望为特定资源添加更多权限的位置

请关注更多信息

希望这会有帮助

UPD: 对于您的特殊情况,您需要增加处理工作的可能性,因此您的角色应该是下一个:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: your-namespace
  name: job-watcher
rules:
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "list", "update", "delete", "create"]
非常感谢。我所做的工作是:1。执行
kubectl edit cm-n kube system aws auth
并将额外许可组“system:masters”添加到组中。2.向EKS节点角色添加权限。 
home-pc$ kubectl get secrets --context kind-test1
NAME                  TYPE                                  DATA   AGE
default-token-qjdpp   kubernetes.io/service-account-token   3      5m39s

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: your-namespace
  name: job-watcher
rules:
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "list", "update", "delete", "create"]