未能为kube创建ClusterRole
未能为kube创建ClusterRole
提问于 2018-01-31 05:43:35
我做了这个例子https://github.com/jetstack/kube-lego/tree/master/examples/gce,然后没有创建ClusterRole kube.
错误是:
Error from server (Forbidden): error when creating "k8s/kube-lego/hoge.yaml": clusterroles.rbac.authorization.k8s.io "kube-lego" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["delete"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["update"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["create"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["patch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["delete"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["update"]}] user=&{myemail@gmail.com [system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]我试了1.8.6-gke.0,1.8.7-gke.0和1.9.2-gke.0。
谢谢。
回答 2
Stack Overflow用户
回答已采纳
发布于 2018-01-31 05:52:02
如第225期中的评论
结果,我在GKE 1.6的已知问题中收到了错误。我通过以下文章解决了这个问题: 获取当前的google身份
$ gcloud info | grep Account
Account: [myname@example.org]授予群集-对当前身份的管理
$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org
Clusterrolebinding "myname-cluster-admin-binding" created有关要定义的实际RBAC,请参见第99期
它引用添加官方RBAC规则,它应用正确的设置:
# RBAC objects
kubectl apply -f lego/service-account.yaml
kubectl apply -f lego/cluster-role.yaml
kubectl apply -f lego/cluster-role-binding.yamlStack Overflow用户
发布于 2018-02-06 17:44:20
你来自gcloud info | grep Account的谷歌账户电子邮件可能不起作用,但我解决了这个问题。
转到堆栈驱动测井,选择适当的kubernetes集群和错误日志级别。
应用下一个高级过滤器(更改相应的字段):
resource.type="k8s_cluster"
resource.labels.location="europe-west1-b"
resource.labels.cluster_name="your-cluster-name"
severity>=ERROR
protoPayload.resourceName="rbac.authorization.k8s.io/v1beta1/clusterroles/prometheus-operator"你会发现这样的错误:
k8s.io create prometheus-operator 20456435270447878856446 {"@type":"type.googleapis.com/google.cloud.audit.AuditLog","status":{"code": ...接下来,您需要复制长编号的principalEmail。将其粘贴到clusterrolebinding命令中,作为用户键:
kubectl create clusterrolebinding 20456435270447878856446-cluster-admin-binding --clusterrole=cluster-admin --user=20456435270447878856446您将能够创建prometheus-运算符集群角色。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/48535231
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号