问题描述
UDPDATED
我正在尝试通过在K8s上部署的pod内的curl获取资源。
虽然我可以通过curl请求获取pod的列表,但不能在configmap和节点上使用。
这里是我正在使用的角色绑定(适用于Pod)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Metadata:
name: test-ro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods",“configmaps”]
verbs: ["get","list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Metadata:
name: test-cro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["nodes”]
verbs: ["get","list"]
以及当我尝试获取节点列表时:
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/nodes
{
"kind": "Status","apiVersion": "v1","Metadata": {
},"status": "Failure","message": "nodes is forbidden: User \"system:serviceaccount:test:test\" cannot list resource \"nodes\" in API group \"\" at the cluster scope","reason": "Forbidden","details": {
"kind": "nodes"
},与configmap相同:
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/configmaps
{
"kind": "Status","Metadata": {
},"message": "configmaps is forbidden: User \"system:serviceaccount:test:test\" cannot list resource \"configmaps\" in API group \"\" in the namespace \"default\"","details": {
"kind": "configmaps"
},"code": 403
它在豆荚上起作用了。
可能是什么问题? RoleBinding上的配置错误?
解决方法
要授予test-ro角色对列表ConfigMap的访问权限,必须以复数形式指定资源名称。这可能是列出Pods起作用但列出ConfigMap无效的原因。所以应该这样指定角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test-ro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods","configmaps"]
verbs: ["get","list"]
列出节点需要一些不同的配置,因为节点是群集级资源而不是命名空间资源。 Due to this,the nodes permissions must be given in a ClusterRole.
此外,列出节点的API URL没有名称空间。正确的网址应为https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/nodes。
有效的ClusterRole的示例可能是这样:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["nodes"]
verbs: ["get","list"]