禁止kubernetes pods/nodes

Question

我使用的是kubernetes on-prem

当我使用kubernetes构建gitlab时，遇到了一些问题。我认为它与serviceaccount或角色绑定有关。但是找不到正确的方法

我找到了这些帖子

Kubernetes log, User "system:serviceaccount:default:default" cannot get services in the namespace

https://github.com/kubernetes/kops/issues/3551

我的错误日志

==> /var/log/gitlab/prometheus/current <==
2018-12-24_03:06:08.88786 level=error ts=2018-12-24T03:06:08.887812767Z caller=main.go:240 component=k8s_client_runtime err="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:372: Failed to list *v1.Node: nodes is forbidden: User \"system:serviceaccount:default:default\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"
2018-12-24_03:06:08.89075 level=error ts=2018-12-24T03:06:08.890719525Z caller=main.go:240 component=k8s_client_runtime err="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:320: Failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:default\" cannot list resource \"pods\" in API group \"\" at the cluster scope"

Answer 1

问题是您的默认服务账号没有权限获取集群范围内的节点或pods。要解决的最低群集角色和群集角色绑定是：

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: prom-admin
rules:
# Just an example, feel free to change it
- apiGroups: [""]
  resources: ["pods", "nodes"]
  verbs: ["get", "watch", "list"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: prom-rbac
subjects:
- kind: ServiceAccount
  name: default
roleRef:
  kind: ClusterRole
  name: prom-admin
  apiGroup: rbac.authorization.k8s.io

上述群集角色为默认服务帐户提供了访问任何名称空间中任何pods或节点权限。

您可以更改群集角色以向服务帐户提供更多权限，如果要将访问所有权限授予默认服务帐户，请替换prom-admin中的resources: ["*"]

希望这能有所帮助。