缺少测试用户的权限

Question

我使用一个watcherList (这是官方的golang库支持的)来获取有关在kubernetes命名空间中创建、更新和删除服务的通知。在这里的片段。

func (kc *KubernetesCollector) streamEvents(ctx context.Context) {
    kc.debugChannel <- fmt.Sprintf("Start streaming events from kubernetes API")

    watchList := cache.NewListWatchFromClient(kc.k8sClient.RESTClient(), "services", kc.k8sNamespace, fields.Everything())

    notificationCallbackToAddService := func(svc interface{}) {
        service := svc.(*v1.Service)
        kc.serviceNotificationChannel <- &serviceNotification{service, "add"}
    }

    notificationCallbackToDeleteService := func(svc interface{}) {
        service := svc.(*v1.Service)
        kc.serviceNotificationChannel <- &serviceNotification{service, "remove"}
    }

    callbacks := cache.ResourceEventHandlerFuncs{
        AddFunc:    notificationCallbackToAddService,
        DeleteFunc: notificationCallbackToDeleteService,
    }

    _, controller := cache.NewInformer(watchList, &v1.Service{}, time.Second*0, callbacks)
    go controller.Run(ctx.Done())
}

在我的测试中，我在公共api地址上声明了kc.k8sClient，它是在k8sAPI变量中定义的。此外，我将承载令牌设置为对集群进行身份验证，并跳过以验证不安全的ssl证书。

func TestK8sWatchList(t *testing.T) {
    require := require.New(t)
    ...
    k8sConfig, err := clientcmd.BuildConfigFromFlags(k8sAPI, "")
    require.NoError(err)

    k8sConfig.BearerToken = "<bearerToken>"
    k8sConfig.Transport = &http.Transport{
        TLSClientConfig: &tls.Config{
            InsecureSkipVerify: true,
        },
    }
    k8sClient, err := kubernetes.NewForConfig(k8sConfig)

    k8sCollector := NewK8sCollector(k8sClient, k8sNamespace)

    ...
}

当我执行测试时，我会收到以下错误消息：

go test -v -timeout 500s <replaced>/t1k/pkg/collector -run TestK8sWatchList
=== RUN   TestK8sWatchList
11.02.2020 16:55:55 DEBUG: Start streaming events from kubernetes API
E0211 16:55:51.706530  121803 reflector.go:153] pkg/mod/k8s.io/client-go@v0.0.0-20200106225816-7985654fe8ee/tools/cache/reflector.go:105: Failed to list *v1.Service: forbidden: User "system:serviceaccount:t1k:t1k-test-serviceaccount" cannot get path "/namespaces/t1k/services"
E0211 16:55:52.707520  121803 reflector.go:153] pkg/mod/k8s.io/client-go@v0.0.0-20200106225816-7985654fe8ee/tools/cache/reflector.go:105: Failed to list *v1.Service: forbidden: User "system:serviceaccount:t1k:t1k-test-serviceaccount" cannot get path "/namespaces/t1k/services"
E0211 16:55:53.705539  121803 reflector.go:153] pkg/mod/k8s.io/client-go@v0.0.0-20200106225816-7985654fe8ee/tools/cache/reflector.go:105: Failed to list *v1.Service: forbidden: User "system:serviceaccount:t1k:t1k-test-serviceaccount" cannot get path "/namespaces/t1k/services"

我不明白为什么我会收到错误消息，因为在我看来，服务帐户“t1k测试-服务帐户”拥有所有必需的权限。现在，定义测试用户的服务帐户、角色和角色绑定。

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: t1k
  name: t1k-test-serviceaccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: t1k
  name: t1k-test-role
rules:
- apiGroups: [""]   # "" indicates the core API group
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: t1k
  name: t1k-test-rolebinding
subjects:
- name: t1k-test-serviceaccount
  kind: ServiceAccount
  apiGroup: ""
roleRef:
  name: t1k-test-role
  kind: Role
  apiGroup: rbac.authorization.k8s.io

补充资料：

• kubeadm版本1.15.9
• kubectl版本1.17.2
• golib版本
  • k8s.io/api v0.17.2
  • k8s.io/apimachinery v0.17.2
  • k8s.io/client-go v0.0.0-20200106225816-7985654fe8ee
  • k8s.io/utils v0.0.0-20200117235808-5f6fbceb4c31 /间接

​

Answer 1

我找到了解决办法。k8sClientSet的KubernetesCollector结构是一个指针。包pkg/mod/k8s.io/client-go@v0.0.0-20200106225816-7985654fe8ee的反射函数不能处理指针对象。

type KubernetesCollector struct {
    ...
    k8sClient *kubernetes.ClientSet
    namespace string
    ...
}

我将k8sClient替换为来自k8s.io/client-go/kubernetes/typed/core/v1的CoreV1Interface。因此，我更改了对ListWatch的调用。

type KubernetesCollector struct {
   .... 
   iface         corev1.CoreV1Interface
   namespace     string
   ....
}

func (kc *KubernetesCollector) start(ctx context.Context) {
    watchList := cache.NewListWatchFromClient(kc.iface.RESTClient(), "services", kc.namespace, fields.Everything())
    ....
}

Answer 2

您可以使用以下命令检查服务帐户的权限：

kubectl auth can-i list services --namespace t1k --as=system:serviceaccount:t1k:t1k-test-serviceaccount

您不需要设置令牌manually...you，可以像在这个示例中一样使用示例..Client-当使用rest.InClusterConfig()时，go使用Pod中挂载的服务帐户令牌，在使用rest.InClusterConfig()时，rest.InClusterConfig/run/rest.InClusterConfig/kubernetes.io/serviceaccount路径。