Kubernetes无法将吊舱列为用户_Kubernetes

Kubernetes无法将吊舱列为用户

kubernetes

Kubernetes无法将吊舱列为用户,kubernetes,Kubernetes,部署时，我看到用户jenkins出现此错误 Error: pods is forbidden: User "system:serviceaccount:ci:jenkins" cannot list pods in the namespace "kube-system" 我已经为服务帐户创建了一个定义 --- apiVersion: v1 kind: ServiceAccount metadata: name: jenkins --- kind: R

部署时，我看到用户jenkins出现此错误

Error: pods is forbidden: User "system:serviceaccount:ci:jenkins" cannot list pods in the namespace "kube-system"

我已经为服务帐户创建了一个定义

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins

我创建了一个ClusterRoleBinding

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: jenkins
  namespace: kube-system

任何建议？

如果没有命名空间（在ServiceAccount创建中），您将在

默认

命名空间中自动创建它。角色（始终是一个命名空间资源）也是如此

您需要做的是创建一个具有正确权限的ClusterRole（基本上只是将您的角色更改为ClusterRole），然后在ServiceAccount资源或ClusterRole绑定中设置正确的命名空间

您还可以跳过创建角色和角色绑定，因为ClusterRole和ClusterRoleBinding将以任何方式覆盖它

尽管如此。在部署时，最好按照每个命名空间创建一个特定的ServiceAccount和RoleBinding，这样您就不会意外地创建一个管理员帐户，该帐户用于远程CI工具，如。。。詹金斯；）

如果没有命名空间（在ServiceAccount创建中），您将在

默认

命名空间中自动创建它。角色（始终是一个命名空间资源）也是如此

您还可以跳过创建角色和角色绑定，因为ClusterRole和ClusterRoleBinding将以任何方式覆盖它