Kubernetes kubectl创建机密通用内部错误权限被拒绝

我已经配置了对我的K8s群集的访问，设置了所有需要的POD和服务，使用YAML文件创建了机密，但是下面这个简单的命令：

kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
kubectl create secret generic my-secret --from-file=path/to/bar

导致错误：

服务器错误（InternalError）：发生内部错误：rpc错误：code=Internal desc=kms服务加密错误：rpc错误：code=PermissionDenied desc=Permission denied

我怎样才能解决这个问题

更多详细信息：群集将在上运行。当然，我已经写信给支持部门，但我希望在这里得到更快的解决方案响应

更新。。一些角色信息：

kubectl get rolebindings,clusterrolebindings --all-namespaces


NAMESPACE    NAME    ROLE    AGE
kube-public   rolebinding.rbac.authorization.k8s.io/system:controller:bootstrap-signer    Role/system:controller:bootstrap-signer    15d
kube-system   rolebinding.rbac.authorization.k8s.io/cluster-autoscaler    Role/cluster-autoscaler    15d
kube-system   rolebinding.rbac.authorization.k8s.io/metrics-server-auth-reader    Role/extension-apiserver-authentication-reader    15d
kube-system   rolebinding.rbac.authorization.k8s.io/node-metrics-agent-rb    Role/node-metrics-agent    15d
kube-system   rolebinding.rbac.authorization.k8s.io/system::extension-apiserver-authentication-reader   Role/extension-apiserver-authentication-reader    15d
kube-system   rolebinding.rbac.authorization.k8s.io/system::leader-locking-kube-controller-manager    Role/system::leader-locking-kube-controller-manager   15d
kube-system   rolebinding.rbac.authorization.k8s.io/system::leader-locking-kube-scheduler    Role/system::leader-locking-kube-scheduler    15d
kube-system   rolebinding.rbac.authorization.k8s.io/system:controller:bootstrap-signer    Role/system:controller:bootstrap-signer    15d
kube-system   rolebinding.rbac.authorization.k8s.io/system:controller:cloud-provider    Role/system:controller:cloud-provider    15d
kube-system   rolebinding.rbac.authorization.k8s.io/system:controller:token-cleaner    Role/system:controller:token-cleaner    15d
monitoring    rolebinding.rbac.authorization.k8s.io/loki    Role/loki    14d
monitoring    rolebinding.rbac.authorization.k8s.io/loki-promtail    Role/loki-promtail    14d
monitoring    rolebinding.rbac.authorization.k8s.io/prom-grafana    Role/prom-grafana    14d
monitoring    rolebinding.rbac.authorization.k8s.io/prom-grafana-test    Role/prom-grafana-test    14d
monitoring    rolebinding.rbac.authorization.k8s.io/prom-kube-prometheus-stack-alertmanager    Role/prom-kube-prometheus-stack-alertmanager    14d


NAMESPACE   NAME    ROLE    AGE
    clusterrolebinding.rbac.authorization.k8s.io/ccm-binding    ClusterRole/cluster-admin    15d
    clusterrolebinding.rbac.authorization.k8s.io/cluster-admin    ClusterRole/cluster-admin    15d
    clusterrolebinding.rbac.authorization.k8s.io/cluster-autoscaler    ClusterRole/cluster-autoscaler    15d
    clusterrolebinding.rbac.authorization.k8s.io/csi-attacher-binding    ClusterRole/external-attacher-role    15d
    clusterrolebinding.rbac.authorization.k8s.io/csi-csinodeinfos-reader-binding    ClusterRole/csinodeinfos-reader    15d
    clusterrolebinding.rbac.authorization.k8s.io/csi-csinodes-reader-binding    ClusterRole/csinodes-reader    15d
    clusterrolebinding.rbac.authorization.k8s.io/csi-driver-registrar-binding    ClusterRole/cluster-driver-registrar-role    15d
    clusterrolebinding.rbac.authorization.k8s.io/csi-endpoints-reader-binding    ClusterRole/endpoints-operator    15d
    clusterrolebinding.rbac.authorization.k8s.io/csi-leases-operator-binding    ClusterRole/leases-operator    15d
    clusterrolebinding.rbac.authorization.k8s.io/csi-provisioner-binding    ClusterRole/external-provisioner-role    15d
    clusterrolebinding.rbac.authorization.k8s.io/csi-snapshotter-binding    ClusterRole/external-snapshotter-role    15d
    clusterrolebinding.rbac.authorization.k8s.io/event-logger-rb    ClusterRole/view    15d
    clusterrolebinding.rbac.authorization.k8s.io/loki-promtail-clusterrolebinding    ClusterRole/loki-promtail-clusterrole    14d
    clusterrolebinding.rbac.authorization.k8s.io/metrics-server:system:auth-delegator    ClusterRole/system:auth-delegator    15d
    clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-nginx-ingress    ClusterRole/nginx-ingress-nginx-ingress    14d
    clusterrolebinding.rbac.authorization.k8s.io/node-metrics-agent-rb    ClusterRole/node-metrics-agent    15d
    clusterrolebinding.rbac.authorization.k8s.io/npd-binding    ClusterRole/system:node-problem-detector    15d
    clusterrolebinding.rbac.authorization.k8s.io/npd-ds-binding    ClusterRole/system:node-problem-detector    15d
    clusterrolebinding.rbac.authorization.k8s.io/prom-grafana-clusterrolebinding    ClusterRole/prom-grafana-clusterrole    14d
    clusterrolebinding.rbac.authorization.k8s.io/prom-kube-prometheus-stack-operator    ClusterRole/prom-kube-prometheus-stack-operator    14d
    clusterrolebinding.rbac.authorization.k8s.io/prom-kube-prometheus-stack-operator-psp    ClusterRole/prom-kube-prometheus-stack-operator-psp    14d
    clusterrolebinding.rbac.authorization.k8s.io/prom-kube-prometheus-stack-prometheus    ClusterRole/prom-kube-prometheus-stack-prometheus    14d
    clusterrolebinding.rbac.authorization.k8s.io/prom-kube-prometheus-stack-prometheus-psp    ClusterRole/prom-kube-prometheus-stack-prometheus-psp    14d
    clusterrolebinding.rbac.authorization.k8s.io/prom-kube-state-metrics    ClusterRole/prom-kube-state-metrics    14d
    clusterrolebinding.rbac.authorization.k8s.io/psp-prom-kube-state-metrics    ClusterRole/psp-prom-kube-state-metrics    14d
    clusterrolebinding.rbac.authorization.k8s.io/psp-prom-prometheus-node-exporter    ClusterRole/psp-prom-prometheus-node-exporter    14d
    clusterrolebinding.rbac.authorization.k8s.io/system:basic-user    ClusterRole/system:basic-user    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:attachdetach-controller    ClusterRole/system:controller:attachdetach-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:certificate-controller    ClusterRole/system:controller:certificate-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:clusterrole-aggregation-controller   ClusterRole/system:controller:clusterrole-aggregation-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:cronjob-controller    ClusterRole/system:controller:cronjob-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:daemon-set-controller    ClusterRole/system:controller:daemon-set-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:deployment-controller    ClusterRole/system:controller:deployment-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:disruption-controller    ClusterRole/system:controller:disruption-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:endpoint-controller    ClusterRole/system:controller:endpoint-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:endpointslice-controller    ClusterRole/system:controller:endpointslice-controller    14d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:expand-controller    ClusterRole/system:controller:expand-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:generic-garbage-collector    ClusterRole/system:controller:generic-garbage-collector    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:horizontal-pod-autoscaler    ClusterRole/system:controller:horizontal-pod-autoscaler    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:job-controller    ClusterRole/system:controller:job-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:namespace-controller    ClusterRole/system:controller:namespace-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:node-controller    ClusterRole/system:controller:node-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:persistent-volume-binder    ClusterRole/system:controller:persistent-volume-binder    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:pod-garbage-collector    ClusterRole/system:controller:pod-garbage-collector    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:pv-protection-controller    ClusterRole/system:controller:pv-protection-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:pvc-protection-controller    ClusterRole/system:controller:pvc-protection-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:replicaset-controller    ClusterRole/system:controller:replicaset-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:replication-controller    ClusterRole/system:controller:replication-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:resourcequota-controller    ClusterRole/system:controller:resourcequota-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:route-controller    ClusterRole/system:controller:route-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:service-account-controller    ClusterRole/system:controller:service-account-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:service-controller    ClusterRole/system:controller:service-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:statefulset-controller    ClusterRole/system:controller:statefulset-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:controller:ttl-controller    ClusterRole/system:controller:ttl-controller    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:coredns    ClusterRole/system:coredns    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:discovery    ClusterRole/system:discovery    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:kube-controller-manager    ClusterRole/system:kube-controller-manager    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:kube-dns    ClusterRole/system:kube-dns    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:kube-dns-autoscaler    ClusterRole/system:kube-dns-autoscaler    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:kube-proxy    ClusterRole/system:node-proxier    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:kube-scheduler    ClusterRole/system:kube-scheduler    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:metrics-server    ClusterRole/system:metrics-server    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:node    ClusterRole/system:node    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:node-proxier    ClusterRole/system:node-proxier    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:public-info-viewer    ClusterRole/system:public-info-viewer    15d
    clusterrolebinding.rbac.authorization.k8s.io/system:volume-scheduler    ClusterRole/system:volume-scheduler    15d
    clusterrolebinding.rbac.authorization.k8s.io/yc:admin    ClusterRole/cluster-admin    15d
    clusterrolebinding.rbac.authorization.k8s.io/yc:alpha:auto-approve-csrs-for-group    ClusterRole/system:certificates.k8s.io:certificatesigningrequests:nodeclient    15d
    clusterrolebinding.rbac.authorization.k8s.io/yc:alpha:auto-approve-renewals-for-nodes    ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   15d
    clusterrolebinding.rbac.authorization.k8s.io/yc:alpha:create-csrs-for-bootstrapping    ClusterRole/system:node-bootstrapper    15d
    clusterrolebinding.rbac.authorization.k8s.io/yc:editor    ClusterRole/edit    15d
    clusterrolebinding.rbac.authorization.k8s.io/yc:viewer    ClusterRole/view    15d

---

我找到了解决方案：我必须将角色

kms.keys.encrypterDecrypter

设置为服务帐户，该帐户用于在Yandex.Cloud项目目录的设置中控制Kubernetes群集。

@RobEvans Hi！我见过这个问题，但我认为它与此无关，我不使用AWS或

EncryptionConfiguration

configs。您好。快速提问。你是集群管理员吗？您的帐户在群集中有哪些

ClusterRole

s和

Role

s？@JustinTamblyn Hi！我还没有体验过K8s角色，但是我使用了一个命令来grep它，你可以在Q update.Awesome中看到结果。我怀疑K8s集群需要一把钥匙或什么东西来与KMS通话。这是一个愚蠢的问题，但我可以问一下，您是否使用凭据或与Yandex KMS交谈的内容来设置集群（对不起，我对Yandex一无所知）？