Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/kubernetes/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
禁止Kubernetes rbac pod/exec创建操作_Kubernetes_Operator Sdk - Fatal编程技术网
Fatal编程技术网
  • kubernetes/
  • 禁止Kubernetes rbac pod/exec创建操作

禁止Kubernetes rbac pod/exec创建操作

kubernetes

禁止Kubernetes rbac pod/exec创建操作,kubernetes,operator-sdk,Kubernetes,Operator Sdk,我正在运营商上工作,并使用运营商sdk进行运营商开发。我正在为某些业务逻辑执行pod exec,但它一直失败,出现以下错误: Failed to cleanup testst StatefulSet StatefulSet.Name : devst{"Instance.Namespace": "default", "Instance.Name": "testst-sample", "error":

我正在运营商上工作,并使用运营商sdk进行运营商开发。我正在为某些业务逻辑执行pod exec,但它一直失败,出现以下错误:

Failed to cleanup testst StatefulSet StatefulSet.Name : devst{"Instance.Namespace": "default", "Instance.Name": "testst-sample", "error": "pods \"testst-0\" is forbidden: User \"system:serviceaccount:test-db:default\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\""}
以下是角色的定义:

Name:         manager-role
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"creationTimestamp":null,"name":"manager-ro...
PolicyRule:
  Resources                                  Non-Resource URLs  Resource Names  Verbs
  ---------                                  -----------------  --------------  -----
  statefulsets.''/finalizers                 []                 []              [create delete get list patch update watch]
  configmaps                                 []                 []              [create delete get list patch update watch]
  persistentvolumeclaims                     []                 []              [create delete get list patch update watch]
  secrets                                    []                 []              [create delete get list patch update watch]
  services                                   []                 []              [create delete get list patch update watch]
  statefulsets.apps                          []                 []              [create delete get list patch update watch]
  teststapps.example.com                     []                 []              [create delete get list patch update watch]
  teststapps.example.com/finalizers          []                 []              [create delete get patch update]
  pods/exec                                  []                 []              [create get]
  pods/log                                   []                 []              [get list watch]
  pods                                       []                 []              [get list watch]
  teststapps.example.com/status              []                 []              [get patch update]

名称:经理角色
标签:
注释:kubectl.kubernetes.io/last-applicated-configuration:
{“apiVersion”:“rbac.authorization.k8s.io/v1”,“种类”:“ClusterRole”,“元数据”:{“annotations”:{},“creationTimestamp”:null,“名称”:“manager ro…”。。。
政策规则:
资源非资源URL资源名称谓词
---------                                  -----------------  --------------  -----
statefulsets.''/finalizers[][]创建删除获取列表修补程序更新监视]
configmaps[][]创建删除获取列表修补程序更新监视]
persistentvolumeclaims[][]创建删除获取列表修补程序更新监视]
机密[][]创建删除获取列表修补程序更新监视]
服务[][]创建删除获取列表修补程序更新监视]
statefulsets.apps[][]创建删除获取列表修补程序更新监视]
teststapps.example.com[][]创建删除获取列表修补程序更新监视]
teststapps.example.com/finalizers[][]创建删除获取补丁更新]
pods/exec[][[创建获取]
pods/log[][]获取列表监视]
pods[][[获取列表监视]
teststapps.example.com/status[][[获取补丁更新]
角色绑定定义

kubectl describe clusterrolebinding.rbac.authorization.k8s.io/manager-rolebinding
Name:         manager-rolebinding
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"manager-rolebinding"},"roleR...
Role:
  Kind:  ClusterRole
  Name:  manager-role
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  default  system


kubectl描述clusterrolebinding.rbac.authorization.k8s.io/manager-rolebinding
姓名:经理rolebinding
标签:
注释:kubectl.kubernetes.io/last-applicated-configuration:
{“apiVersion”:“rbac.authorization.k8s.io/v1”,“kind”:“ClusterRoleBinding”,“metadata”:{“annotations”:{},“name”:“manager rolebinding”},“roleR…”。。。
角色:
种类:ClusterRole
姓名:经理角色
学科:
类名称命名空间
----            ----     ---------
ServiceAccount默认系统
请告知我做错了什么。

根据角色B,您已将ClusterRole
经理角色
关联到
系统
命名空间中的
服务帐户
默认,但由于该错误,
测试数据库
命名空间中的服务帐户为
默认

如果您将角色绑定中的命名空间
system
更改为
test db
,它应该可以工作。另外,请确保在
test db
命名空间中创建角色绑定,而不是
system
命名空间。

谢谢。请告诉我是否可以从操作员内部创建命名空间和服务帐户。我的operator是基于多组的,因此对于每个API和控制器,我将创建不同的命名空间和服务帐户。是否有方法从操作员创建命名空间和服务帐户?命名空间和服务帐户的详细信息将通过CR传递。您将使用服务帐户创建命名空间和服务帐户…只要该服务帐户具有执行这些操作的权限,它就应该工作