Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/meteor/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Kubernetes 服务帐户无法获取POD,尽管它有权限;来自服务器的错误(禁止):“…”;_Kubernetes_Token - Fatal编程技术网
Fatal编程技术网
  • kubernetes/
  • Kubernetes 服务帐户无法获取POD,尽管它有权限;来自服务器的错误(禁止):“…”;

Kubernetes 服务帐户无法获取POD,尽管它有权限;来自服务器的错误(禁止):“…”;

kubernetes

Kubernetes 服务帐户无法获取POD,尽管它有权限;来自服务器的错误(禁止):“…”;,kubernetes,token,Kubernetes,Token,我创建了一个服务帐户,我想授予它列出播客的权限:kubectl get pods 我对服务帐户、角色和角色绑定有以下设置: 服务帐户.yaml: apiVersion: v1 kind: ServiceAccount metadata: name: myservice3 kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: my-role rules:

我创建了一个服务帐户,我想授予它列出播客的权限:
kubectl get pods

我对服务帐户、角色和角色绑定有以下设置:

服务帐户.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: myservice3

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: my-role
rules: 
- apiGroups: ["", "extensions", "apps"]
  resources: ["pods"]
  verbs: ["get"]
角色。yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: myservice3

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: my-role
rules: 
- apiGroups: ["", "extensions", "apps"]
  resources: ["pods"]
  verbs: ["get"]
RoleBinding.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  name: my-role-binding
  namespace: default
subjects: 
- kind: ServiceAccount 
  name: myservice3
  namespace: default
  apiGroup: ""
roleRef: 
  kind: Role
  name: my-role
  apiGroup: ""
我使用服务帐户的令牌创建了一个用户:

SECRET_NAME=`kubectl get serviceaccounts myservice3 -o json | jq -r '.secrets[].name'`
TOKEN=`kubectl get secrets $SECRET_NAME -o json | jq -r '.data | .token' | base64 -d`
kubectl config set-credentials $USER_NAME --token=$TOKEN
为此用户设置上下文:

kubectl config set-context my-context \
--cluster=kubernetes \
--namespace=default \
--user=$USER_NAME
尝试使用其权限时:

$ kubectl get pods --context=my-context
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:myservice3" cannot list pods in the namespace "default"
我还尝试了使用
curl

$ curl -k -v -H "Authorization: Bearer $TOKEN" https://127.0.0.1:6443
* About to connect() to 127.0.0.1 port 6443 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=kube-apiserver
*       start date: Jul 02 09:36:21 2018 GMT
*       expire date: Jul 02 09:36:21 2019 GMT
*       common name: kube-apiserver
*       issuer: CN=kubernetes
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:6443
> Accept: */*
> Authorization: Bearer <JWT_token>
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Mon, 02 Jul 2018 12:17:10 GMT
< Content-Length: 257
<
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:serviceaccount:default:myservice3\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
* Connection #0 to host 127.0.0.1 left intact

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: my-role
rules: 
- apiGroups: ["", "extensions", "apps"]
  resources: ["pods"]
  verbs: ["get", "list"] 

$curl-k-v-H“授权:持票人$TOKEN”https://127.0.0.1:6443
*即将连接()到127.0.0.1端口6443(#0)
*正在尝试127.0.0.1。。。
*连接到127.0.0.1(127.0.0.1)端口6443(#0)
*使用certpath:sql:/etc/pki/nssdb初始化NSS
*跳过SSL对等证书验证
*NSS:找不到客户端证书(未指定昵称)
*使用TLS\u ECDHE\u RSA\u和\u AES\u 128\u GCM\u SHA256的SSL连接
*服务器证书:
*主题:CN=kube apiserver
*开始日期:格林尼治标准时间2018年7月2日09:36:21
*到期日期:格林尼治标准时间2019年7月2日09:36:21
*通用名称:kube apiserver
*发行人:CN=kubernetes
>GET/HTTP/1.1
>用户代理:curl/7.29.0
>主持人:127.0.0.1:6443
>接受:*/*
>授权:持票人
>
知道我做错了什么吗?我给了服务帐户一个
get pods
权限,但它仍然被禁止。

角色。yaml还需要
列表

$ curl -k -v -H "Authorization: Bearer $TOKEN" https://127.0.0.1:6443
* About to connect() to 127.0.0.1 port 6443 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=kube-apiserver
*       start date: Jul 02 09:36:21 2018 GMT
*       expire date: Jul 02 09:36:21 2019 GMT
*       common name: kube-apiserver
*       issuer: CN=kubernetes
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:6443
> Accept: */*
> Authorization: Bearer <JWT_token>
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< X-Content-Type-Options: nosniff
< Date: Mon, 02 Jul 2018 12:17:10 GMT
< Content-Length: 257
<
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:serviceaccount:default:myservice3\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
* Connection #0 to host 127.0.0.1 left intact

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: my-role
rules: 
- apiGroups: ["", "extensions", "apps"]
  resources: ["pods"]
  verbs: ["get", "list"] 

get
是获取单个项目的权限,
list
是获取所有ITME的权限。
现在,它在运行时工作:

kubectl get pods --context=myservice3-context


curl-k-v-H“授权:承载”https://127.0.0.1:6443/api/v1/namespaces/default/pods