Kubernetes ServiceAccount不能列出节点

Question

我正在尝试授予我的服务帐户foo权限来获取集群上节点的列表(通过kubectl get nodes)。我创建了一个集群角色和一个与以下权限绑定的角色：

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
 name: foo-cluster-role
rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]

当我使用该服务帐户运行一个pod时，我无法运行kubectl get nodes：

root@debugger:/# kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:default:foo" cannot list resource "nodes" in API group "" at the cluster scope

奇怪的是，当我通过kubectl auth can-i询问时，它告诉我我应该可以访问：

root@debugger:/# kubectl auth can-i get nodes
Warning: resource 'nodes' is not namespace scoped
yes

如何设置服务帐户，以便能够列出集群上的节点？

编辑集群绑定如下所示：

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: foo-binding
subjects:
- kind: ServiceAccount
  name: foo
roleRef:
  kind: ClusterRole
  name: foo-cluster-role
  apiGroup: ""

Answer 1

您必须创建ClusterRoleBinding。请查一下下面的内容。

    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
      name: foo-cluster-role
    rules:
    - apiGroups: [""]
      resources: ["nodes"]
      verbs: ["get", "watch", "list"]

    ---
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRoleBinding
    metadata:
      name: foo-binding
    subjects:
    - kind: ServiceAccount
      name: foo
    roleRef:
      kind: ClusterRole
      name: foo-cluster-role
      apiGroup: rbac.authorization.k8s.io