Kubernetes Can'；t授予服务帐户应用现有角色的权限“；来自服务器的错误（禁止）。。。试图授予额外特权”；_Kubernetes_Rbac_Role

Kubernetes Can'；t授予服务帐户应用现有角色的权限“；来自服务器的错误（禁止）。。。试图授予额外特权”；

kubernetes

Kubernetes Can'；t授予服务帐户应用现有角色的权限“；来自服务器的错误（禁止）。。。试图授予额外特权”；,kubernetes,rbac,role,Kubernetes,Rbac,Role,我正在尝试授予服务帐户权限，以便在现有角色上运行kubectl apply-f somerole.yaml 我创建了具有以下权限的服务帐户： cat > ~/tmp/Role.yaml <<EOF kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: my-role6 rules: - apiGroups: ["*"] resour

我正在尝试授予服务帐户权限，以便在现有角色上运行

kubectl apply-f somerole.yaml

我创建了具有以下权限的服务帐户：

cat > ~/tmp/Role.yaml <<EOF 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: my-role6
rules: 
- apiGroups: ["*"]
  resources: ["roles"]
  verbs: ["replace", "patch", "get", "list", "create"] 
EOF

kubectl create -f ~/tmp/Role.yaml

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: $ROLE_NAME
rules: 
- apiGroups: ["*"]
  resources: ["roles", "pods"]
  verbs: ["patch", "get", "list"]

我收到：

Error from server (Forbidden): error when creating "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]}] ruleResolutionErrors=[]

Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"rbac.authorization.k8s.io/v1beta1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"testrole\",\"namespace\":\"default\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"pods\"],\"verbs\":[\"list\",\"get\"]}]}\n"}},"rules":[{"apiGroups":["*"],"resources":["pods"],"verbs":["list","get"]}]}
to:
&{0xc420b26840 0xc4202b18f0 default testrole malrole.yaml 0xc4211a8988 0xc42000c008 1638 false}
for: "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["*"]}] ruleResolutionErrors=[]

更具可读性的版本：

Error from server (Forbidden): 
    error when creating "malrole.yaml": 
    roles.rbac.authorization.k8s.io "testrole" is forbidden: 
        attempt to grant extra privileges: 
        [ 
            PolicyRule{
                Resources:["pods"], APIGroups:["*"], Verbs:["get"]
            }
        ] 
        user=&{
            system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 
            [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]
            } 

        ownerrules=[
            PolicyRule{
                Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], 
                Verbs:["create"]
            } 

            PolicyRule{
                NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"], 
                Verbs:["get"]
            }

            PolicyRule{
                Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]
            }
        ] 


        ruleResolutionErrors=[]

malrole.yaml（我尝试应用的文件）：

它写道：

授予额外特权的尝试

从代码中的这一行中提取：

不知道为什么

根据文件：

ConfirmNoEscalation确定给定用户的角色是否在给定名称空间包含提供的角色
但是我也试着给自己更多的权限（见编辑部分），但仍然收到了这个错误
编辑：
即使我将权限更改为

kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: my-role6 rules: - apiGroups: ["*"] resources: ["roles"] verbs: ["*"]
我收到：

Error from server (Forbidden): error when creating "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]}] ruleResolutionErrors=[]

Error from server (Forbidden): error when applying patch: {"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"rbac.authorization.k8s.io/v1beta1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"testrole\",\"namespace\":\"default\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"pods\"],\"verbs\":[\"list\",\"get\"]}]}\n"}},"rules":[{"apiGroups":["*"],"resources":["pods"],"verbs":["list","get"]}]} to: &{0xc420b26840 0xc4202b18f0 default testrole malrole.yaml 0xc4211a8988 0xc42000c008 1638 false} for: "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["*"]}] ruleResolutionErrors=[]
@利吉特告诉我的
升级预防拒绝创建包含以下内容的角色的尝试您尚未拥有的权限
以下内容：

我发现为了能够应用角色，我需要具有以下权限：

cat > ~/tmp/Role.yaml <<EOF kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: my-role6 rules: - apiGroups: ["*"] resources: ["roles"] verbs: ["replace", "patch", "get", "list", "create"] EOF kubectl create -f ~/tmp/Role.yaml

kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: $ROLE_NAME rules: - apiGroups: ["*"] resources: ["roles", "pods"] verbs: ["patch", "get", "list"]
我不知道为什么当我只是应用一个角色时，
pods
应该是资源的一部分。但也许应用程序正在为此使用一些系统吊舱
正如上面链接中提到的：
要允许用户创建/更新角色，请执行以下操作：

授予他们一个角色，允许他们创建/更新角色或 ClusterRole对象，视需要而定
授予他们包含以下内容的角色 您希望他们能够在角色或角色中设置的权限 ClusterRole。如果他们试图创建或修改角色或ClusterRole 在未授予权限的情况下，API 请求将被禁止
@利吉特告诉我的
升级预防拒绝创建包含以下内容的角色的尝试您尚未拥有的权限
以下内容：

我发现为了能够应用角色，我需要具有以下权限：

cat > ~/tmp/Role.yaml <<EOF kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: my-role6 rules: - apiGroups: ["*"] resources: ["roles"] verbs: ["replace", "patch", "get", "list", "create"] EOF kubectl create -f ~/tmp/Role.yaml

kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: $ROLE_NAME rules: - apiGroups: ["*"] resources: ["roles", "pods"] verbs: ["patch", "get", "list"]
我不知道为什么当我只是应用一个角色时，
pods
应该是资源的一部分。但也许应用程序正在为此使用一些系统吊舱
正如上面链接中提到的：
要允许用户创建/更新角色，请执行以下操作：

授予他们一个角色，允许他们创建/更新角色或 ClusterRole对象，视需要而定
授予他们包含以下内容的角色 您希望他们能够在角色或角色中设置的权限 ClusterRole。如果他们试图创建或修改角色或ClusterRole 在未授予权限的情况下，API 请求将被禁止

我认为服务帐户没有创建角色的权限。尝试将
cluster admin
角色赋予服务帐户（myservice6？），我认为服务帐户没有创建角色的权限。请尝试将
群集管理
角色赋予服务帐户（myservice6？）。您尝试创建的角色包含pod相关权限，因此您的创建用户需要拥有这些权限才能创建包含这些权限的角色。您尝试创建的角色包含pod相关权限，因此，创建用户需要拥有这些权限，才能创建包含这些权限的角色。