问题描述
我有一个操作员,并将其部署在同一集群的3个不同的名称空间中,然后出现以下错误。我不知道这里出了什么问题以及如何解决?有什么想法吗?
E1111 15:02:48.398838 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.6/tools/cache/reflector.go:125: Failed to list *v1alpha1.Bird: Birds.xxxx.com is forbidden: User "system:serviceaccount:aaaa-test:default" cannot list resource "Birds" in API group "xxxx.com" in the namespace "aaaa-test"
E1111 15:02:50.193666 1 reflector.go:178] pkg/mod/k8s.io/client-go@v0.18.6/tools/cache/reflector.go:125: Failed to list *v1alpha1.Bird: Birds.xxxx.com is forbidden: User "system:serviceaccount:aaaa-test:default" cannot list resource "Birds" in API group "xxxx.com" in the namespace "aaaa-test"
解决方法
此消息表示您用于运营商的服务帐户确实缺少某些权限。您需要添加具有list
资源Birds
的权限的角色。
类似这样的东西:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: operator
rules:
- apiGroups:
- xxxx.com
resources:
- birds
verbs:
- list
不用说,您还需要添加ClusterRoleBinding
。
请在示例中查看更多详细信息:Build Your Operator with the Right Tool。