Kubernetes 如何制作一个能够创建clusterrole的掌舵图,该角色允许在特定名称空间中创建、查看和删除POD?
我在kubernetes集群上运行了一个守护进程,其目的是接受gRPC请求,并将这些请求转换为用于在k8s集群中创建、删除和查看POD的命令。它在集群中作为服务运行,并通过helm部署 helm图表为守护进程“tass daemon”创建了一个服务帐户,并为它提供了一个集群角色,该角色应该允许它操作特定名称空间“tass arrays”中的pod 但是,我发现服务帐户似乎不工作,我的守护进程在尝试联系K8S API服务器时报告权限错误:Kubernetes 如何制作一个能够创建clusterrole的掌舵图,该角色允许在特定名称空间中创建、查看和删除POD?,kubernetes,kubernetes-helm,rbac,helmfile,Kubernetes,Kubernetes Helm,Rbac,Helmfile,我在kubernetes集群上运行了一个守护进程,其目的是接受gRPC请求,并将这些请求转换为用于在k8s集群中创建、删除和查看POD的命令。它在集群中作为服务运行,并通过helm部署 helm图表为守护进程“tass daemon”创建了一个服务帐户,并为它提供了一个集群角色,该角色应该允许它操作特定名称空间“tass arrays”中的pod 但是,我发现服务帐户似乎不工作,我的守护进程在尝试联系K8S API服务器时报告权限错误: 2021/03/04 21:17:48 pods is f
2021/03/04 21:17:48 pods is forbidden: User "system:serviceaccount:default:tass-daemon" cannot list resource "pods" in API group "" in the namespace "tass-arrays"
[maintainer@headnode helm]$ kubectl describe clusterrole admin | grep -i pods
pods [] [] [create delete deletecollection patch update get list watch]
pods/attach [] [] [get list watch create delete deletecollection patch update]
pods/exec [] [] [get list watch create delete deletecollection patch update]
pods/portforward [] [] [get list watch create delete deletecollection patch update]
pods/proxy [] [] [get list watch create delete deletecollection patch update]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
[maintainer@headnode helm]$ kubectl describe clusterrole tass-daemon | grep -i pods
pods/attach [] [] [create delete deletecollection patch update get list watch]
pods [] [] [create delete deletecollection patch update get list watch]
pods.apps [] [] [create delete deletecollection patch update get list watch]
pods/status [] [] [get list watch]
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: {{ template "tass-daemon.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "tass-daemon.fullname" . }}
namespace: "tass-arrays"
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create delete deletecollection patch update get list watch
- apiGroups:
- ""
resources:
- pods/attach
verbs:
- create delete deletecollection patch update get list watch
- apiGroups:
- ""
resources:
- pods/status
verbs:
- get list watch
- apiGroups:
- apps
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: {{ template "tass-daemon.name" .}}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "tass-daemon.fullname" . }}
namespace: "tass-arrays"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "tass-daemon.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "tass-daemon.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: {{ template "tass-daemon.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "tass-daemon.fullname" . }}
很明显,我做错了什么,那么配置clusterrole的正确方法是什么,这样我的守护进程就可以操作“tass arrays”命名空间中的pod了?正如我在评论部分提到的,
apiVersionrbac.authorization.k8s.io/v1beta1rbac.authorization.k8s.io/v1v1RBACClusterRolerules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
请参阅:。您有匹配的ClusterRoleBinding吗?@DavidMaze我想是的。如果我将clusterrolebinding从tass守护程序更改为admin,我完全可以让它工作,但将admin赋予tass守护程序服务帐户的权力太大了。apiVersion rbac.authorization.k8s.io/v1beta1上存在弃用,而使用rbac.authorization.k8s.io/v1。