Kubernetes 服务帐户无法获取POD,尽管它有权限;来自服务器的错误(禁止):“…”;
我创建了一个服务帐户,我想授予它列出播客的权限:Kubernetes 服务帐户无法获取POD,尽管它有权限;来自服务器的错误(禁止):“…”;,kubernetes,token,Kubernetes,Token,我创建了一个服务帐户,我想授予它列出播客的权限:kubectl get pods 我对服务帐户、角色和角色绑定有以下设置: 服务帐户.yaml: apiVersion: v1 kind: ServiceAccount metadata: name: myservice3 kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: my-role rules:
kubectl get pods
我对服务帐户、角色和角色绑定有以下设置:
服务帐户.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: myservice3
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: my-role
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["pods"]
verbs: ["get"]
角色。yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: myservice3
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: my-role
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["pods"]
verbs: ["get"]
RoleBinding.yaml:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: my-role-binding
namespace: default
subjects:
- kind: ServiceAccount
name: myservice3
namespace: default
apiGroup: ""
roleRef:
kind: Role
name: my-role
apiGroup: ""
我使用服务帐户的令牌创建了一个用户:
SECRET_NAME=`kubectl get serviceaccounts myservice3 -o json | jq -r '.secrets[].name'`
TOKEN=`kubectl get secrets $SECRET_NAME -o json | jq -r '.data | .token' | base64 -d`
kubectl config set-credentials $USER_NAME --token=$TOKEN
为此用户设置上下文:
kubectl config set-context my-context \
--cluster=kubernetes \
--namespace=default \
--user=$USER_NAME
尝试使用其权限时:
$ kubectl get pods --context=my-context
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:myservice3" cannot list pods in the namespace "default"
我还尝试了使用curl
:
$ curl -k -v -H "Authorization: Bearer $TOKEN" https://127.0.0.1:6443
* About to connect() to 127.0.0.1 port 6443 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=kube-apiserver
* start date: Jul 02 09:36:21 2018 GMT
* expire date: Jul 02 09:36:21 2019 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:6443
> Accept: */*
> Authorization: Bearer <JWT_token>
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Mon, 02 Jul 2018 12:17:10 GMT
< Content-Length: 257
<
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:serviceaccount:default:myservice3\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
* Connection #0 to host 127.0.0.1 left intact
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: my-role
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["pods"]
verbs: ["get", "list"]
$curl-k-v-H“授权:持票人$TOKEN”https://127.0.0.1:6443
*即将连接()到127.0.0.1端口6443(#0)
*正在尝试127.0.0.1。。。
*连接到127.0.0.1(127.0.0.1)端口6443(#0)
*使用certpath:sql:/etc/pki/nssdb初始化NSS
*跳过SSL对等证书验证
*NSS:找不到客户端证书(未指定昵称)
*使用TLS\u ECDHE\u RSA\u和\u AES\u 128\u GCM\u SHA256的SSL连接
*服务器证书:
*主题:CN=kube apiserver
*开始日期:格林尼治标准时间2018年7月2日09:36:21
*到期日期:格林尼治标准时间2019年7月2日09:36:21
*通用名称:kube apiserver
*发行人:CN=kubernetes
>GET/HTTP/1.1
>用户代理:curl/7.29.0
>主持人:127.0.0.1:6443
>接受:*/*
>授权:持票人
>
知道我做错了什么吗?我给了服务帐户一个
get pods
权限,但它仍然被禁止。角色。yaml还需要列表
:
$ curl -k -v -H "Authorization: Bearer $TOKEN" https://127.0.0.1:6443
* About to connect() to 127.0.0.1 port 6443 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=kube-apiserver
* start date: Jul 02 09:36:21 2018 GMT
* expire date: Jul 02 09:36:21 2019 GMT
* common name: kube-apiserver
* issuer: CN=kubernetes
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:6443
> Accept: */*
> Authorization: Bearer <JWT_token>
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Mon, 02 Jul 2018 12:17:10 GMT
< Content-Length: 257
<
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:serviceaccount:default:myservice3\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
* Connection #0 to host 127.0.0.1 left intact
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: my-role
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["pods"]
verbs: ["get", "list"]
get
是获取单个项目的权限,list
是获取所有ITME的权限。现在,它在运行时工作:
kubectl get pods --context=myservice3-context
或
curl-k-v-H“授权:承载”https://127.0.0.1:6443/api/v1/namespaces/default/pods