Kubernetes Serviceaccount无法创建persistentvolumeclaim(PVC)
我们正在测试闪亮的代理Kubernetes容器,每个应用程序都旋转它自己的容器,直到这一部分为止,它工作正常。我们对创建PVC/PV进行了一些更改,以保存每个容器的用户特定数据,注意到serviceaccount无法创建PVC,尽管我为该帐户配置了以下角色。一般来说,是否有其他步骤确保SA能够访问/创建PVC 当从普通容器进行测试时,PV/PVC是可访问的,但用于创建新容器的serviceaccount角色/权限似乎存在问题Kubernetes Serviceaccount无法创建persistentvolumeclaim(PVC),kubernetes,Kubernetes,我们正在测试闪亮的代理Kubernetes容器,每个应用程序都旋转它自己的容器,直到这一部分为止,它工作正常。我们对创建PVC/PV进行了一些更改,以保存每个容器的用户特定数据,注意到serviceaccount无法创建PVC,尽管我为该帐户配置了以下角色。一般来说,是否有其他步骤确保SA能够访问/创建PVC 当从普通容器进行测试时,PV/PVC是可访问的,但用于创建新容器的serviceaccount角色/权限似乎存在问题 kind: Role apiVersion: rbac.authori
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: sp-ns
name: sp-sa
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "persistentvolumeclaims"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
我已确认serviceaccount角色设置正确,如下命令返回“是”
kubectl auth can-i create pvc --as=system:serviceaccount:sp-ns:sp-sa -n sp-ns
从应用程序创建容器时出错:
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: http://localhost:8001/api/v1/namespaces/sp-ns/pods. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. pods "sp-pod-92e1efc0-0859-4a87-8b9b-04d6adaa11f5" is forbidden: user "system:serviceaccount:sp-ns:sp-sa" is not an admin and does not have permissions to use host bind mounts for resource .
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:503)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:440)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:406)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:365)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleCreate(OperationSupport.java:234)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleCreate(BaseOperation.java:735)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:325)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.create(BaseOperation.java:321)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.lambda$createNew$0(BaseOperation.java:336)
at io.fabric8.kubernetes.api.model.DoneablePod.done(DoneablePod.java:26)
at eu.openanalytics.containerproxy.backend.kubernetes.KubernetesBackend.startContainer(KubernetesBackend.java:223)
at eu.openanalytics.containerproxy.backend.AbstractContainerBackend.doStartProxy(AbstractContainerBackend.java:129)
at eu.openanalytics.containerproxy.backend.AbstractContainerBackend.startProxy(AbstractContainerBackend.java:110)
... 95 more
privileged:true
kubectl create clusterrolebinding加载项群集管理--clusterrole=cluster admin--servicecomport=sp ns:sp sa
卷是否已经存在?你能准确地粘贴你得到的错误吗?是的,PV和PVC已经存在了。使用错误和其他信息更新。如果从代码/YAML配置中删除PVC相关行,则容器会正常旋转。访问PVC是否需要群集管理角色?是的,访问PVC需要群集管理角色。我找不到有关为什么需要群集管理角色访问PVC的任何文档,因为它是命名空间范围资源,而不是群集范围资源。我将为同一个资源创建一个集群角色,看看这是否有区别。cluster-admin角色完全控制角色绑定命名空间中的每个资源,包括命名空间本身。请查看更多详细信息。添加群集管理角色绑定解决了创建pvc的问题。