Kubernetes 默认用户禁止创建名称空间，尝试为EKS安装meshery_Kubernetes_Amazon Eks_Servicemesh

Kubernetes 默认用户禁止创建名称空间，尝试为EKS安装meshery

kubernetes

Kubernetes 默认用户禁止创建名称空间，尝试为EKS安装meshery,kubernetes,amazon-eks,servicemesh,Kubernetes,Amazon Eks,Servicemesh,我执行了以下命令： kubectl create namespace meshery 我得到一个如下的错误： Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:default:default" cannot create resource "namespaces" in API group "" at the clus

我执行了以下命令：

kubectl create namespace meshery

我得到一个如下的错误：

Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:default:default" cannot create resource "namespaces" in API group "" at the cluster scope

在此之前，我执行的步骤如下：

[ec2-user@ip-10-0-0-43 ~]$ kubectl create serviceaccount meshery
Error from server (AlreadyExists): serviceaccounts "meshery" already exists
[ec2-user@ip-10-0-0-43 ~]$ kubectl create clusterrolebinding meshery-binding --clusterrole=cluster-admin \
>  --serviceaccount=default:meshery
error: failed to create clusterrolebinding: clusterrolebindings.rbac.authorization.k8s.io "meshery-binding" already exists
[ec2-user@ip-10-0-0-43 ~]$ kubectl get secrets
NAME                               TYPE                                  DATA   AGE
bookinfo-details-token-tm654       kubernetes.io/service-account-token   3      40h
bookinfo-productpage-token-lr9zq   kubernetes.io/service-account-token   3      40h
bookinfo-ratings-token-2gc5h       kubernetes.io/service-account-token   3      40h
bookinfo-reviews-token-8k76p       kubernetes.io/service-account-token   3      40h
default-token-zwx6k                kubernetes.io/service-account-token   3      3d
meshery-token-x94qk                kubernetes.io/service-account-token   3      3d
[ec2-user@ip-10-0-0-43 ~]$ kubectl describe secret default-token-zwx6k
Name:         default-token-zwx6k
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: default
              kubernetes.io/service-account.uid: 33a3496d-db4c-4fb3-b634-204560210f90

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IlJ4RV82SFR1Q3ltQVp2dHZBMEpNd2RkaTVqM2hQOHB3SURIZDRoVW9lRGcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tend4NmsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzYTM0OTZkLWRiNGMtNGZiMy1iNjM0LTIwNDU2MDIxMGY5MCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.TdvS4w0i0ky4dWoqrCL4PrggkpbdxlwqAhPpVQuItqCIPThB_IbCbve6KCMKSePNhO6Kw_TV9TiCiZMSzoqc0T_4PnrAcj48IafKi8_JbcNACeoR7KbSNnYigL8Ou1uQFmcM2Wu2FVjaaCg1tVUC4T0oCPH9MQLnyXIbs7lZk6Ip0Cu0qm-86XyyRSdg5m6qc9FkJqZJfiu65EOmNZhhDbx452PmZ4Ag73WcJKCTDMfZBDq5FiQM4eZtpgTjFec0980JpoBqQppVYOyjSh5sjKqkJNo-BcRDiVcAJRM23gDF5Xu4OABvWX3-cgpwb0cdZ0Xx-RK3xomzSu2Qstn5pw
[ec2-user@ip-10-0-0-43 ~]$ kubectl config set-credentials meshery --token=eyJhbGciOiJSUzI1NiIsImtpZCI6IlJ4RV82SFR1Q3ltQVp2dHZBMEpNd2RkaTVqM2hQOHB3SURIZDRoVW9lRGcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tend4NmsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzYTM0OTZkLWRiNGMtNGZiMy1iNjM0LTIwNDU2MDIxMGY5MCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.TdvS4w0i0ky4dWoqrCL4PrggkpbdxlwqAhPpVQuItqCIPThB_IbCbve6KCMKSePNhO6Kw_TV9TiCiZMSzoqc0T_4PnrAcj48IafKi8_JbcNACeoR7KbSNnYigL8Ou1uQFmcM2Wu2FVjaaCg1tVUC4T0oCPH9MQLnyXIbs7lZk6Ip0Cu0qm-86XyyRSdg5m6qc9FkJqZJfiu65EOmNZhhDbx452PmZ4Ag73WcJKCTDMfZBDq5FiQM4eZtpgTjFec0980JpoBqQppVYOyjSh5sjKqkJNo-BcRDiVcAJRM23gDF5Xu4OABvWX3-cgpwb0cdZ0Xx-RK3xomzSu2Qstn5pw
User "meshery" set.
[ec2-user@ip-10-0-0-43 ~]$ kubectl config set-context --current --user=meshery
Context "arn:aws:eks:us-east-1:632078958246:cluster/icluster1" modified.
[ec2-user@ip-10-0-0-43 ~]$ kubectl config view --minify --flatten >  config_aws_eks.yaml
[ec2-user@ip-10-0-0-43 ~]$ cat config_aws_eks.yaml
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01URXhOVEF6TXpNeU0xb1hEVE13TVRFeE16QXpNek15TTFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXl0ClorVkI5am13WnNtL1l0TEpVRTB1aWhsWXdiangwcWdpQnNuSE8yKzhOZCtDSTZBS2prM2FsOTFTbWtGZGRsWngKSmY2eXBRTXBsTzVTeko4akpWQWVSMFVoa01vVFJnUDZFR2JRQWZvaFFleG1uMGlneWhnYjV1bGY0WFpTWUN4cwpSMVNJVXpXUVNDcFNEdmkxSDNaSFFVdUFQVkE3cytPYlZZMXIvU3FPVE1nYlVxZFduRXBSbkRzbzNpbXNRemljCk80Q1NtMU9jQXl3eUNqWjNLcHRzUWY1eFpoUytwT1FPbmJ2cWRXRVBCNHBFK29zNGxtZFNOKy81ZU5xaFh4SysKYW5hT2NyMGo5anZVa2VObmc0Z3JsQXFCb3FXL0FCdHhudmlXYmYvd2hYRm5NTUluSDV3dFN6aUhpd0E3TlVPVwpzYTJ2Yk8xcHNQOGlIQkQ2SHYwQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJdWJ4dzJhb2RPWFZCU3ZPdGtuYUJOYkxYL1QKdk5lNWhvcWVjT3pPTFdlcWs4RGdqbldtUUpXT3VFQjBBNEtRRys2WTcvem1qTWJTRG9mbGNqd1pNRWp0VHFSagpDSnNXVnV6b0dtVWVoN29PaUgyTkFtSHVzcFc2N0oxdVZnWFYrVG55Nld5YnhuTjdIQWhTcHlIWUZ2MERySVhxCkZJVWdxOTJBWFJVMklPTld3Wk1HOUY0QndqUEt0QU0ranU3RUNFWXo0SGhHSjlNa01ZcXUvMFlOa3FoNU84cjEKSGpvWDZyRTNqWlE0d0NvMkkrZ1UrRE1RRmsyVGdvb1NMWXBUT2pnaHBGWXlRRTNUMlZBaGdYZnVsMXVZZitmNQoycTl1cTEybWE4RmpFUmRteXp3cy9Jb3UxTElZR1AxdVlmSkc5aDkxZDZpbTRwS1hUTkhGRERJU1NIaz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://BE1866C372B4FCB9E011E90A2BA78F79.gr7.us-east-1.eks.amazonaws.com
  name: arn:aws:eks:us-east-1:632078958246:cluster/icluster1
contexts:
- context:
    cluster: arn:aws:eks:us-east-1:632078958246:cluster/icluster1
    user: meshery
  name: arn:aws:eks:us-east-1:632078958246:cluster/icluster1
current-context: arn:aws:eks:us-east-1:632078958246:cluster/icluster1
kind: Config
preferences: {}
users:
- name: meshery
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlJ4RV82SFR1Q3ltQVp2dHZBMEpNd2RkaTVqM2hQOHB3SURIZDRoVW9lRGcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tend4NmsiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjMzYTM0OTZkLWRiNGMtNGZiMy1iNjM0LTIwNDU2MDIxMGY5MCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.TdvS4w0i0ky4dWoqrCL4PrggkpbdxlwqAhPpVQuItqCIPThB_IbCbve6KCMKSePNhO6Kw_TV9TiCiZMSzoqc0T_4PnrAcj48IafKi8_JbcNACeoR7KbSNnYigL8Ou1uQFmcM2Wu2FVjaaCg1tVUC4T0oCPH9MQLnyXIbs7lZk6Ip0Cu0qm-86XyyRSdg5m6qc9FkJqZJfiu65EOmNZhhDbx452PmZ4Ag73WcJKCTDMfZBDq5FiQM4eZtpgTjFec0980JpoBqQppVYOyjSh5sjKqkJNo-BcRDiVcAJRM23gDF5Xu4OABvWX3-cgpwb0cdZ0Xx-RK3xomzSu2Qstn5pw

我已按照您提供的步骤和说明进行操作，并成功复制了您的问题：

➜  ~ kubectl create namespace meshery

Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:default:meshery" cannot create resource "namespaces" in API group "" at the cluster scope

切换回上下文确实允许我创建所需的名称空间，从而得出

meshery

角色未正确设置的结论：

➜  ~ kubectl配置集上下文--current--user=minikube
上下文“minikube”已修改。
➜  ~ kubectl创建命名空间网格
创建名称空间/网格

仔细研究该问题后，我发现

ClusterRoleBinding

中引用的

ClusterRole

名称不正确，并且在

ClusterRole

名称中引用了serviceaccount：


➜  ~ kubectl get clusterrolebinding网状绑定-oyaml
apiVersion:rbac.authorization.k8s.io/v1
种类：簇状卷边
元数据：
管理领域：
-apiVersion:rbac.authorization.k8s.io/v1
经理：kubectl create
操作：更新
名称：meshery binding
roleRef：
apiGroup:rbac.authorization.k8s.io
种类：ClusterRole
名称：集群管理员--serviceaccount=默认值：meshery

这意味着文档中的命令写得不正确，因为

集群管理

和

--servicecomport=default:meshery

之间应该有空格

kubectl create clusterrolebinding-meshery绑定--clusterrole=cluster admin\--servicecomport=default:meshery

一旦我更正了空格：

kubectl create clusterrolebinding-meshery绑定——clusterrole=cluster admin——servicecomport=default:meshery

您可以看到

ClusterRoleBinding

现在看起来是正确的：


➜  ~ kubectl get clusterrolebinding网状绑定-oyaml
apiVersion:rbac.authorization.k8s.io/v1
种类：簇状卷边
元数据：
管理领域：
-apiVersion:rbac.authorization.k8s.io/v1
经理：kubectl create
操作：更新
名称：meshery binding
roleRef：
apiGroup:rbac.authorization.k8s.io
种类：ClusterRole
名称：群集管理
学科：
-种类：服务帐户
姓名：meshery
名称空间：默认值

现在，将上下文切换到

meshery

可以正常工作：

➜  ~ kubectl配置集上下文--current--user=meshery
上下文“minikube”已修改。

➜  ~ kubectl创建命名空间网格
创建名称空间/网格

我的怀疑是，因为您在前面为

--user=meshery

设置了上下文，所以用户没有足够的权限创建名称空间。您是否可以尝试为默认/admin用户设置上下文并尝试创建该命名空间？示例：

kubectl config set context--current--user=kubernetes admin

Yeah完全按照您的建议做了。但是，我添加了集群管理员角色，但它仍然无法创建名称空间。我想知道，我已经按照说明进行了操作，我注意到您使用了

default token-…

而不是

meshery token-…

，这是第一个文档中建议的第3,4点。你能核实一下吗？对我来说，这一切都很好。你有机会检查我以前的建议吗@学习者

➜  ~ kubectl create namespace meshery

Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:default:meshery" cannot create resource "namespaces" in API group "" at the cluster scope