禁止Kubernetes rbac pod/exec创建操作
我正在运营商上工作,并使用运营商sdk进行运营商开发。我正在为某些业务逻辑执行pod exec,但它一直失败,出现以下错误:禁止Kubernetes rbac pod/exec创建操作,kubernetes,operator-sdk,Kubernetes,Operator Sdk,我正在运营商上工作,并使用运营商sdk进行运营商开发。我正在为某些业务逻辑执行pod exec,但它一直失败,出现以下错误: Failed to cleanup testst StatefulSet StatefulSet.Name : devst{"Instance.Namespace": "default", "Instance.Name": "testst-sample", "error":
Failed to cleanup testst StatefulSet StatefulSet.Name : devst{"Instance.Namespace": "default", "Instance.Name": "testst-sample", "error": "pods \"testst-0\" is forbidden: User \"system:serviceaccount:test-db:default\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\""}
以下是角色的定义:
Name: manager-role
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"creationTimestamp":null,"name":"manager-ro...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
statefulsets.''/finalizers [] [] [create delete get list patch update watch]
configmaps [] [] [create delete get list patch update watch]
persistentvolumeclaims [] [] [create delete get list patch update watch]
secrets [] [] [create delete get list patch update watch]
services [] [] [create delete get list patch update watch]
statefulsets.apps [] [] [create delete get list patch update watch]
teststapps.example.com [] [] [create delete get list patch update watch]
teststapps.example.com/finalizers [] [] [create delete get patch update]
pods/exec [] [] [create get]
pods/log [] [] [get list watch]
pods [] [] [get list watch]
teststapps.example.com/status [] [] [get patch update]
名称:经理角色
标签:
注释:kubectl.kubernetes.io/last-applicated-configuration:
{“apiVersion”:“rbac.authorization.k8s.io/v1”,“种类”:“ClusterRole”,“元数据”:{“annotations”:{},“creationTimestamp”:null,“名称”:“manager ro…”。。。
政策规则:
资源非资源URL资源名称谓词
--------- ----------------- -------------- -----
statefulsets.''/finalizers[][]创建删除获取列表修补程序更新监视]
configmaps[][]创建删除获取列表修补程序更新监视]
persistentvolumeclaims[][]创建删除获取列表修补程序更新监视]
机密[][]创建删除获取列表修补程序更新监视]
服务[][]创建删除获取列表修补程序更新监视]
statefulsets.apps[][]创建删除获取列表修补程序更新监视]
teststapps.example.com[][]创建删除获取列表修补程序更新监视]
teststapps.example.com/finalizers[][]创建删除获取补丁更新]
pods/exec[][[创建获取]
pods/log[][]获取列表监视]
pods[][[获取列表监视]
teststapps.example.com/status[][[获取补丁更新]
角色绑定定义
kubectl describe clusterrolebinding.rbac.authorization.k8s.io/manager-rolebinding
Name: manager-rolebinding
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"manager-rolebinding"},"roleR...
Role:
Kind: ClusterRole
Name: manager-role
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount default system
kubectl描述clusterrolebinding.rbac.authorization.k8s.io/manager-rolebinding
姓名:经理rolebinding
标签:
注释:kubectl.kubernetes.io/last-applicated-configuration:
{“apiVersion”:“rbac.authorization.k8s.io/v1”,“kind”:“ClusterRoleBinding”,“metadata”:{“annotations”:{},“name”:“manager rolebinding”},“roleR…”。。。
角色:
种类:ClusterRole
姓名:经理角色
学科:
类名称命名空间
---- ---- ---------
ServiceAccount默认系统
请告知我做错了什么。根据角色B,您已将ClusterRole
经理角色
关联到系统
命名空间中的服务帐户
默认,但由于该错误,测试数据库
命名空间中的服务帐户为默认
如果您将角色绑定中的命名空间
system
更改为test db
,它应该可以工作。另外,请确保在test db
命名空间中创建角色绑定,而不是system
命名空间。谢谢。请告诉我是否可以从操作员内部创建命名空间和服务帐户。我的operator是基于多组的,因此对于每个API和控制器,我将创建不同的命名空间和服务帐户。是否有方法从操作员创建命名空间和服务帐户?命名空间和服务帐户的详细信息将通过CR传递。您将使用服务帐户创建命名空间和服务帐户…只要该服务帐户具有执行这些操作的权限,它就应该工作