无法作为ServiceAccount进行部署
无法作为ServiceAccount进行部署
提问于 2022-07-30 12:47:11
我试图访问另一个名称空间中的部署,并具有以下ServiceAccount、ClusterRole和ClusterRoleBinding
apiVersion: v1
kind: ServiceAccount
metadata:
name: tekton-triggers-example-sa
namespace: tekton-pipelines
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-pipeline-sa
rules:
- apiGroups: [""]
resources: ["secrets", "services", "deployments", "pods"]
verbs: ["get", "watch", "list", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-pipeline-permissions
namespace: tekton-pipelines
subjects:
- kind: ServiceAccount
name: tekton-triggers-example-sa
namespace: tekton-pipelines
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tekton-pipeline-sa有了这个,我可以得到除了deployments以外的一切
kubectl auth can-i get secrets --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
yes
kubectl auth can-i get services --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
yes
kubectl auth can-i get deployments --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
no
kubectl auth can-i get pods --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
yes如果我删除绑定,我什么也得不到,这是有道理的
kubectl delete -f rbac/binding.yaml
clusterrolebinding.rbac.authorization.k8s.io "tekton-pipeline-permissions" deleted
kubectl auth can-i get secrets --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
no
kubectl auth can-i get services --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
no
kubectl auth can-i get deployments --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
no
kubectl auth can-i get pods --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
no如果我再次应用它,我可以访问除了deployments以外的所有东西
kubectl apply -f rbac/binding.yaml
clusterrolebinding.rbac.authorization.k8s.io/tekton-pipeline-permissions created
kubectl auth can-i get secrets --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
yes
kubectl auth can-i get services --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
yes
kubectl auth can-i get deployments --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
no
kubectl auth can-i get pods --as=system:serviceaccount:tekton-pipelines:tekton-triggers-example-sa -n anxiety-app
yes因此,在我看来,绑定对于除deployments之外的所有资源都是有效的。
谁知道我错了什么,为什么我不能进入部署?
回答 1
Stack Overflow用户
回答已采纳
发布于 2022-07-30 13:05:47
您的ClusterRole应该是:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-pipeline-sa
rules:
- apiGroups: [""]
resources: ["secrets", "services", "pods"]
verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "watch", "list", "create", "delete"]一个部署将有一些apiVersion: apps/v1。它属于apiGroups apps。这里有豆荚、秘密或服务的地方将其设置为v1,因此在appGroups ""中。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/73175745
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号