Kubernetes kubectl创建机密通用内部错误权限被拒绝
我已经配置了对我的K8s群集的访问,设置了所有需要的POD和服务,使用YAML文件创建了机密,但是下面这个简单的命令:Kubernetes kubectl创建机密通用内部错误权限被拒绝,kubernetes,Kubernetes,我已经配置了对我的K8s群集的访问,设置了所有需要的POD和服务,使用YAML文件创建了机密,但是下面这个简单的命令: kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret kubectl create secret generic my-secret --from-file=path/to/bar 导致错误: 服务器错误(InternalErr
kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
kubectl create secret generic my-secret --from-file=path/to/bar
导致错误:
服务器错误(InternalError):发生内部错误:rpc错误:code=Internal desc=kms服务加密错误:rpc错误:code=PermissionDenied desc=Permission denied
我怎样才能解决这个问题
更多详细信息:群集将在上运行。当然,我已经写信给支持部门,但我希望在这里得到更快的解决方案响应
更新。。一些角色信息:
kubectl get rolebindings,clusterrolebindings --all-namespaces
NAMESPACE NAME ROLE AGE
kube-public rolebinding.rbac.authorization.k8s.io/system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 15d
kube-system rolebinding.rbac.authorization.k8s.io/cluster-autoscaler Role/cluster-autoscaler 15d
kube-system rolebinding.rbac.authorization.k8s.io/metrics-server-auth-reader Role/extension-apiserver-authentication-reader 15d
kube-system rolebinding.rbac.authorization.k8s.io/node-metrics-agent-rb Role/node-metrics-agent 15d
kube-system rolebinding.rbac.authorization.k8s.io/system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 15d
kube-system rolebinding.rbac.authorization.k8s.io/system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 15d
kube-system rolebinding.rbac.authorization.k8s.io/system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 15d
kube-system rolebinding.rbac.authorization.k8s.io/system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 15d
kube-system rolebinding.rbac.authorization.k8s.io/system:controller:cloud-provider Role/system:controller:cloud-provider 15d
kube-system rolebinding.rbac.authorization.k8s.io/system:controller:token-cleaner Role/system:controller:token-cleaner 15d
monitoring rolebinding.rbac.authorization.k8s.io/loki Role/loki 14d
monitoring rolebinding.rbac.authorization.k8s.io/loki-promtail Role/loki-promtail 14d
monitoring rolebinding.rbac.authorization.k8s.io/prom-grafana Role/prom-grafana 14d
monitoring rolebinding.rbac.authorization.k8s.io/prom-grafana-test Role/prom-grafana-test 14d
monitoring rolebinding.rbac.authorization.k8s.io/prom-kube-prometheus-stack-alertmanager Role/prom-kube-prometheus-stack-alertmanager 14d
NAMESPACE NAME ROLE AGE
clusterrolebinding.rbac.authorization.k8s.io/ccm-binding ClusterRole/cluster-admin 15d
clusterrolebinding.rbac.authorization.k8s.io/cluster-admin ClusterRole/cluster-admin 15d
clusterrolebinding.rbac.authorization.k8s.io/cluster-autoscaler ClusterRole/cluster-autoscaler 15d
clusterrolebinding.rbac.authorization.k8s.io/csi-attacher-binding ClusterRole/external-attacher-role 15d
clusterrolebinding.rbac.authorization.k8s.io/csi-csinodeinfos-reader-binding ClusterRole/csinodeinfos-reader 15d
clusterrolebinding.rbac.authorization.k8s.io/csi-csinodes-reader-binding ClusterRole/csinodes-reader 15d
clusterrolebinding.rbac.authorization.k8s.io/csi-driver-registrar-binding ClusterRole/cluster-driver-registrar-role 15d
clusterrolebinding.rbac.authorization.k8s.io/csi-endpoints-reader-binding ClusterRole/endpoints-operator 15d
clusterrolebinding.rbac.authorization.k8s.io/csi-leases-operator-binding ClusterRole/leases-operator 15d
clusterrolebinding.rbac.authorization.k8s.io/csi-provisioner-binding ClusterRole/external-provisioner-role 15d
clusterrolebinding.rbac.authorization.k8s.io/csi-snapshotter-binding ClusterRole/external-snapshotter-role 15d
clusterrolebinding.rbac.authorization.k8s.io/event-logger-rb ClusterRole/view 15d
clusterrolebinding.rbac.authorization.k8s.io/loki-promtail-clusterrolebinding ClusterRole/loki-promtail-clusterrole 14d
clusterrolebinding.rbac.authorization.k8s.io/metrics-server:system:auth-delegator ClusterRole/system:auth-delegator 15d
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-nginx-ingress ClusterRole/nginx-ingress-nginx-ingress 14d
clusterrolebinding.rbac.authorization.k8s.io/node-metrics-agent-rb ClusterRole/node-metrics-agent 15d
clusterrolebinding.rbac.authorization.k8s.io/npd-binding ClusterRole/system:node-problem-detector 15d
clusterrolebinding.rbac.authorization.k8s.io/npd-ds-binding ClusterRole/system:node-problem-detector 15d
clusterrolebinding.rbac.authorization.k8s.io/prom-grafana-clusterrolebinding ClusterRole/prom-grafana-clusterrole 14d
clusterrolebinding.rbac.authorization.k8s.io/prom-kube-prometheus-stack-operator ClusterRole/prom-kube-prometheus-stack-operator 14d
clusterrolebinding.rbac.authorization.k8s.io/prom-kube-prometheus-stack-operator-psp ClusterRole/prom-kube-prometheus-stack-operator-psp 14d
clusterrolebinding.rbac.authorization.k8s.io/prom-kube-prometheus-stack-prometheus ClusterRole/prom-kube-prometheus-stack-prometheus 14d
clusterrolebinding.rbac.authorization.k8s.io/prom-kube-prometheus-stack-prometheus-psp ClusterRole/prom-kube-prometheus-stack-prometheus-psp 14d
clusterrolebinding.rbac.authorization.k8s.io/prom-kube-state-metrics ClusterRole/prom-kube-state-metrics 14d
clusterrolebinding.rbac.authorization.k8s.io/psp-prom-kube-state-metrics ClusterRole/psp-prom-kube-state-metrics 14d
clusterrolebinding.rbac.authorization.k8s.io/psp-prom-prometheus-node-exporter ClusterRole/psp-prom-prometheus-node-exporter 14d
clusterrolebinding.rbac.authorization.k8s.io/system:basic-user ClusterRole/system:basic-user 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:attachdetach-controller ClusterRole/system:controller:attachdetach-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:certificate-controller ClusterRole/system:controller:certificate-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:clusterrole-aggregation-controller ClusterRole/system:controller:clusterrole-aggregation-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:cronjob-controller ClusterRole/system:controller:cronjob-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:daemon-set-controller ClusterRole/system:controller:daemon-set-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:deployment-controller ClusterRole/system:controller:deployment-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:disruption-controller ClusterRole/system:controller:disruption-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:endpoint-controller ClusterRole/system:controller:endpoint-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:endpointslice-controller ClusterRole/system:controller:endpointslice-controller 14d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:expand-controller ClusterRole/system:controller:expand-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:generic-garbage-collector ClusterRole/system:controller:generic-garbage-collector 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:horizontal-pod-autoscaler ClusterRole/system:controller:horizontal-pod-autoscaler 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:job-controller ClusterRole/system:controller:job-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:namespace-controller ClusterRole/system:controller:namespace-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:node-controller ClusterRole/system:controller:node-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:persistent-volume-binder ClusterRole/system:controller:persistent-volume-binder 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:pod-garbage-collector ClusterRole/system:controller:pod-garbage-collector 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:pv-protection-controller ClusterRole/system:controller:pv-protection-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:pvc-protection-controller ClusterRole/system:controller:pvc-protection-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:replicaset-controller ClusterRole/system:controller:replicaset-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:replication-controller ClusterRole/system:controller:replication-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:resourcequota-controller ClusterRole/system:controller:resourcequota-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:route-controller ClusterRole/system:controller:route-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:service-account-controller ClusterRole/system:controller:service-account-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:service-controller ClusterRole/system:controller:service-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:statefulset-controller ClusterRole/system:controller:statefulset-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:controller:ttl-controller ClusterRole/system:controller:ttl-controller 15d
clusterrolebinding.rbac.authorization.k8s.io/system:coredns ClusterRole/system:coredns 15d
clusterrolebinding.rbac.authorization.k8s.io/system:discovery ClusterRole/system:discovery 15d
clusterrolebinding.rbac.authorization.k8s.io/system:kube-controller-manager ClusterRole/system:kube-controller-manager 15d
clusterrolebinding.rbac.authorization.k8s.io/system:kube-dns ClusterRole/system:kube-dns 15d
clusterrolebinding.rbac.authorization.k8s.io/system:kube-dns-autoscaler ClusterRole/system:kube-dns-autoscaler 15d
clusterrolebinding.rbac.authorization.k8s.io/system:kube-proxy ClusterRole/system:node-proxier 15d
clusterrolebinding.rbac.authorization.k8s.io/system:kube-scheduler ClusterRole/system:kube-scheduler 15d
clusterrolebinding.rbac.authorization.k8s.io/system:metrics-server ClusterRole/system:metrics-server 15d
clusterrolebinding.rbac.authorization.k8s.io/system:node ClusterRole/system:node 15d
clusterrolebinding.rbac.authorization.k8s.io/system:node-proxier ClusterRole/system:node-proxier 15d
clusterrolebinding.rbac.authorization.k8s.io/system:public-info-viewer ClusterRole/system:public-info-viewer 15d
clusterrolebinding.rbac.authorization.k8s.io/system:volume-scheduler ClusterRole/system:volume-scheduler 15d
clusterrolebinding.rbac.authorization.k8s.io/yc:admin ClusterRole/cluster-admin 15d
clusterrolebinding.rbac.authorization.k8s.io/yc:alpha:auto-approve-csrs-for-group ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient 15d
clusterrolebinding.rbac.authorization.k8s.io/yc:alpha:auto-approve-renewals-for-nodes ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 15d
clusterrolebinding.rbac.authorization.k8s.io/yc:alpha:create-csrs-for-bootstrapping ClusterRole/system:node-bootstrapper 15d
clusterrolebinding.rbac.authorization.k8s.io/yc:editor ClusterRole/edit 15d
clusterrolebinding.rbac.authorization.k8s.io/yc:viewer ClusterRole/view 15d
我找到了解决方案:我必须将角色
kms.keys.encrypterDecrypter
设置为服务帐户,该帐户用于在Yandex.Cloud项目目录的设置中控制Kubernetes群集。@RobEvans Hi!我见过这个问题,但我认为它与此无关,我不使用AWS或EncryptionConfiguration
configs。您好。快速提问。你是集群管理员吗?您的帐户在群集中有哪些ClusterRole
s和Role
s?@JustinTamblyn Hi!我还没有体验过K8s角色,但是我使用了一个命令来grep它,你可以在Q update.Awesome中看到结果。我怀疑K8s集群需要一把钥匙或什么东西来与KMS通话。这是一个愚蠢的问题,但我可以问一下,您是否使用凭据或与Yandex KMS交谈的内容来设置集群(对不起,我对Yandex一无所知)?