Kubernetes API:无法在API组中列出资源"pods“

Question

我试着做一个豆荚，作为其他豆荚的控制器，基本上是根据需要创建和阻止它们。我最初创建了一个ServiceAccount、一个角色、一个RoleBinding和一个简单的阿尔卑斯容器，我可以在一个新的命名空间中使用这些容器进行curl测试。这是我所有这些的YAML文件：

apiVersion: v1
kind: Namespace
metadata:
    name: nfv
    labels:
        name: nfv
---
apiVersion: v1
kind: ServiceAccount
metadata:
    name: nfv-svc
    namespace: nfv
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
    name: nfv-role
    namespace: nfv
rules:
    - apiGroups:
        - ''
      resources:
        - 'pods'
      verbs:
        - 'create'
        - 'delete'
        - 'get'
        - 'list'
        - 'patch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
    name: nfv-rolebind
subjects:
    - kind: ServiceAccount
      name: nfv-svc
      namespace: nfv
roleRef:
    kind: Role
    name: nfv-role
    apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Pod
metadata:
    name: sdn-test
    namespace: nfv
spec:
    serviceAccountName: nfv-svc
    containers:
        - image: alpine:3.9
          name: sdn-test-container
          command:
              - sleep
              - "10000"

然后，我将其附加到高山测试容器中，并执行以下操作：

apk add --update curl
CA_CERT=/run/secrets/kubernetes.io/serviceaccount/ca.crt
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
curl -H "Authorization: Bearer $TOKEN" --cacert $CA_CERT https://kubernetes.default/api/v1/namespaces/$NAMESPACE/pods

然后得到以下输出：

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "pods is forbidden: User \"system:serviceaccount:nfv:nfv-svc\" cannot list resource \"pods\" in API group \"\" in the namespace \"nfv\"",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}

Role应该有足够的权限来列出我的命名空间中的荚，那么为什么它不能工作呢？我遗漏了什么？我在Ubuntu 16.04上使用Kubernetes v1.18.2。

Answer 1

在namespace: nfv中需要有一个名称空间RoleBinding，因为它是一个名称空间作用域资源。

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
    name: nfv-rolebind
    namespace: nfv
subjects:
    - kind: ServiceAccount
      name: nfv-svc
      namespace: nfv
roleRef:
    kind: Role
    name: nfv-role
    apiGroup: rbac.authorization.k8s.io

若要验证权限，可以使用以下命令

kubectl auth can-i list pods --as=system:serviceaccount:nfv:nfv-svc -n nfv
yes

Answer 2

检查您试图使用的命名空间和订阅。

每个名称空间都属于特定的上下文。确保已为所需的命名空间激活了正确的上下文。

命令检查可用上下文：

kubectl config view --minify --flatten

更新上下文的命令如下所示：

az abc get-credentials --resource-group resource-group-rg --name name-goes-here-1 --subscription subscription-account-id-goes-here-1

Answer 3

按照上面的指示到T，但我仍然得到403禁止的错误。

角色：

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: job-robot
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - '*'
  - apiGroups:
      - extensions
      - apps
    resources:
      - deployments
      - replicasets
    verbs:
      - '*'

RoleBinding：

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: job-robot
  namespace: default
subjects:
  - kind: ServiceAccount
    name: job-robot # Name of the ServiceAccount
    namespace: default
roleRef:
  kind: Role # This must be Role or ClusterRole
  name: job-robot # This must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

在k8s作业对象中的用法：

...

spec:
  backoffLimit: 4
  template:
    spec:
      serviceAccountName: job-robot
      initContainers:
...

任何指导都是非常感谢的！