Kubernetes RBAC:权限不匹配
我面临下一个问题。我想问库伯内特斯我是否能做些手术:Kubernetes RBAC:权限不匹配,kubernetes,Kubernetes,我面临下一个问题。我想问库伯内特斯我是否能做些手术: $ kubectl auth can-i list secrets --namespace iotdevadm no - no RBAC policy matched 上面,我要求列出秘密。根据回应,我不能这样做 然而: $ kubectl get secrets NAME TYPE DATA AGE builde
$ kubectl auth can-i list secrets --namespace iotdevadm
no - no RBAC policy matched
$ kubectl get secrets
NAME TYPE DATA AGE
builder-dockercfg-9m9rf kubernetes.io/dockercfg 1 23h
builder-token-6xxdn kubernetes.io/service-account-token 4 23h
builder-token-qc7q7 kubernetes.io/service-account-token 4 23h
default-dockercfg-qs7sj kubernetes.io/dockercfg 1 23h
default-token-n4lpw kubernetes.io/service-account-token 4 23h
default-token-n7rhh kubernetes.io/service-account-token 4 23h
deployer-dockercfg-nhnps kubernetes.io/dockercfg 1 23h
deployer-token-5rkb6 kubernetes.io/service-account-token 4 23h
deployer-token-v85wp kubernetes.io/service-account-token 4 23h
istio.builder istio.io/key-and-cert 3 23h
istio.default istio.io/key-and-cert 3 23h
istio.deployer istio.io/key-and-cert 3 23h
istio.kafka istio.io/key-and-cert 3 16h
istio.zeppelin istio.io/key-and-cert 3 18h
kafka-dockercfg-whltw kubernetes.io/dockercfg 1 16h
kafka-token-crrxt kubernetes.io/service-account-token 4 16h
kafka-token-j5dgd kubernetes.io/service-account-token 4 16h
sh.helm.release.v1.kafka.v1 helm.sh/release.v1 1 16h
sh.helm.release.v1.spark.v1 helm.sh/release.v1 1 16h
sh.helm.release.v1.zeppelin.v1 helm.sh/release.v1 1 18h
sh.helm.release.v1.zookeeper.v1 helm.sh/release.v1 1 16h
spark-secret Opaque 0 16h
zeppelin-dockercfg-7zdkm kubernetes.io/dockercfg 1 18h
zeppelin-token-85jtc kubernetes.io/service-account-token 4 18h
zeppelin-token-x4r5c kubernetes.io/service-account-token 4 18h
kubectl get secretsdefaultkubectl get secrets-n iotdavmiotdavmkubectl get secrets默认kubectl get secrets-n iotdavdmiotdavdmkubectl get secrets
iotdavmkubectl get secrets -n iotdevadm
kubectl auth can-i get secrets --namespace iotdevadm
此命令将检查在命名空间中的kubeconfig中配置的用户获取机密的权限
iotdavmkubectl get secrets
iotdavmkubectl get secrets -n iotdevadm
kubectl auth can-i get secrets --namespace iotdevadm
此命令将检查在命名空间
iotdavm中的kubeconfig中配置的用户获取机密的权限,假设我们在该命名空间testns中创建了命名空间testns和服务帐户testsa。如果您尝试按以下方式验证kubectl can-i…$ kubectl auth can-i get pods --as=system:serviceaccount:testns:testsa -n testns
no
$ kubectl auth can-i get secrets --as=system:serviceaccount:testns:testsa -n testns
no
$ kubectl auth can-i get pods --as=system:serviceaccount:testns:testsa -n testns
yes
$ kubectl auth can-i get secrets --as=system:serviceaccount:testns:testsa -n testns
no
假设我们在这个名称空间testns中创建了名称空间testns和服务帐户testsa。如果您尝试按以下方式验证kubectl can-i…,您应该:
$ kubectl auth can-i get pods --as=system:serviceaccount:testns:testsa -n testns
no
$ kubectl auth can-i get secrets --as=system:serviceaccount:testns:testsa -n testns
no
$ kubectl auth can-i get pods --as=system:serviceaccount:testns:testsa -n testns
yes
$ kubectl auth can-i get secrets --as=system:serviceaccount:testns:testsa -n testns
no
你查过答案了吗?他们帮你解决了你的问题?如果是的话,请考虑一下。你检查过答案了吗?他们帮你解决了你的问题?如果是的话,请考虑一下。