Kubernetes 用户无法在命名空间中列出“pod”

【问题标题】:Kubernetes user cannot list "pods" in namespaceKubernetes 用户无法在命名空间中列出“pod”
【发布时间】:2020-11-06 11:13:28
【问题描述】:

我正在尝试将 AWS IAM 角色(联合)映射到 EKS RBAC,尝试遵循 this 教程,但仍然出现错误

➜ kubectl edit configmap aws-auth -n kube-system

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapAccounts: |
    []
  mapRoles: |
    - "groups":
      - "system:bootstrappers"
      - "system:nodes"
      "rolearn": "arn:aws:iam::xxx:role/edna-dev-eks200000005"
      "username": "system:node:{{EC2PrivateDNSName}}"
    - "rolearn": "arn:aws:iam::xxx:role/team-developers"
      "username": "developer"
      "groups":
        - "system:master"
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2020-06-11T19:40:47Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "4627634"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 137288f1-ae32-4a6f-b3d5-8dbd1da1e21d


➜ k get pods -n edna
Error from server (Forbidden): pods is forbidden: User "developer" cannot list resource "pods" in API group "" in the namespace "edna"

我是否需要为名为“开发者”的用户创建 RBAC 并映射所有权限? 如果是这样,那么正确的做法是什么?

我已经使用 kubectl krew 安装了 rakkess,如果我尝试使用 AWS 安全短期凭证,我会得到:

➜ k access-matrix -n edna           
NAME                                            LIST  CREATE  UPDATE  DELETE
bindings                                              ✖               
certificaterequests.cert-manager.io             ✖     ✖       ✖       ✖
certificates.cert-manager.io                    ✖     ✖       ✖       ✖
challenges.acme.cert-manager.io                 ✖     ✖       ✖       ✖
configmaps                                      ✖     ✖       ✖       ✖
controllerrevisions.apps                        ✖     ✖       ✖       ✖
cronjobs.batch                                  ✖     ✖       ✖       ✖
daemonsets.apps                                 ✖     ✖       ✖       ✖
deployments.apps                                ✖     ✖       ✖       ✖
endpoints                                       ✖     ✖       ✖       ✖
events                                          ✖     ✖       ✖       ✖
events.events.k8s.io                            ✖     ✖       ✖       ✖
horizontalpodautoscalers.autoscaling            ✖     ✖       ✖       ✖
ingresses.extensions                            ✖     ✖       ✖       ✖
ingresses.networking.k8s.io                     ✖     ✖       ✖       ✖
issuers.cert-manager.io                         ✖     ✖       ✖       ✖
jobs.batch                                      ✖     ✖       ✖       ✖
leases.coordination.k8s.io                      ✖     ✖       ✖       ✖
limitranges                                     ✖     ✖       ✖       ✖
localsubjectaccessreviews.authorization.k8s.io        ✖               
networkpolicies.networking.k8s.io               ✖     ✖       ✖       ✖
orders.acme.cert-manager.io                     ✖     ✖       ✖       ✖
persistentvolumeclaims                          ✖     ✖       ✖       ✖
poddisruptionbudgets.policy                     ✖     ✖       ✖       ✖
pods                                            ✖     ✖       ✖       ✖
podtemplates                                    ✖     ✖       ✖       ✖
replicasets.apps                                ✖     ✖       ✖       ✖
replicationcontrollers                          ✖     ✖       ✖       ✖
resourcequotas                                  ✖     ✖       ✖       ✖
rolebindings.rbac.authorization.k8s.io          ✖     ✖       ✖       ✖
roles.rbac.authorization.k8s.io                 ✖     ✖       ✖       ✖
secrets                                         ✖     ✖       ✖       ✖
serviceaccounts                                 ✖     ✖       ✖       ✖
services                                        ✖     ✖       ✖       ✖
statefulsets.apps                               ✖     ✖       ✖       ✖

谢谢, 德米特里

【问题讨论】:

    标签: kubernetes amazon-eks kubernetes-rbac


    【解决方案1】:

    您需要具有角色和角色绑定才能列出该命名空间的 pod

    1. 创建角色

      kubectl create role developer --verb=get,list,watch --resource=pods,pods/status --namespace=edna

    2. 该角色的角色绑定

      kubectl create rolebinding developer-binding --role=developer --user=developer --serviceaccount=edna:default -n edna

    3. 在此之后运行此命令以检查您是否可以访问。

      kubectl auth can-i get pods -n edna --as developer,此命令将返回yes,然后您的问题就解决了。

    有关更多信息,请参阅此文档

    https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2020-08-28
      • 1970-01-01
      • 2021-11-10
      • 2019-08-27
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2020-07-15
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode