Kubernetes无法将吊舱列为用户
部署时,我看到用户jenkins出现此错误Kubernetes无法将吊舱列为用户,kubernetes,Kubernetes,部署时,我看到用户jenkins出现此错误 Error: pods is forbidden: User "system:serviceaccount:ci:jenkins" cannot list pods in the namespace "kube-system" 我已经为服务帐户创建了一个定义 --- apiVersion: v1 kind: ServiceAccount metadata: name: jenkins --- kind: R
Error: pods is forbidden: User "system:serviceaccount:ci:jenkins" cannot list pods in the namespace "kube-system"
我已经为服务帐户创建了一个定义
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
我创建了一个ClusterRoleBinding
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: jenkins
namespace: kube-system
任何建议?如果没有命名空间(在ServiceAccount创建中),您将在默认
命名空间中自动创建它。角色(始终是一个命名空间资源)也是如此
您需要做的是创建一个具有正确权限的ClusterRole(基本上只是将您的角色更改为ClusterRole),然后在ServiceAccount资源或ClusterRole绑定中设置正确的命名空间
您还可以跳过创建角色和角色绑定,因为ClusterRole和ClusterRoleBinding将以任何方式覆盖它
--
尽管如此。在部署时,最好按照每个命名空间创建一个特定的ServiceAccount和RoleBinding,这样您就不会意外地创建一个管理员帐户,该帐户用于远程CI工具,如。。。詹金斯;) 如果没有命名空间(在ServiceAccount创建中),您将在默认
命名空间中自动创建它。角色(始终是一个命名空间资源)也是如此
您需要做的是创建一个具有正确权限的ClusterRole(基本上只是将您的角色更改为ClusterRole),然后在ServiceAccount资源或ClusterRole绑定中设置正确的命名空间
您还可以跳过创建角色和角色绑定,因为ClusterRole和ClusterRoleBinding将以任何方式覆盖它
--
尽管如此。在部署时,最好按照每个命名空间创建一个特定的ServiceAccount和RoleBinding,这样您就不会意外地创建一个管理员帐户,该帐户用于远程CI工具,如。。。詹金斯;)