为什么会有Kubernetes api权限问题?
为什么会有Kubernetes api权限问题?
提问于 2021-10-15 15:46:13
我有一个python脚本,它试图从pod内部扩展statefulset,但是从API服务器得到一个禁止的错误。下面的yml文件显示了我的角色和角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
Kind: Role
metadata:
name: server-controller
namespace: code-server
roles:
- apiGroups: ["*"]
resources:
- statefulsets
verbs: ["update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
Kind: RoleBinding
metadata:
name: server-controller
namespace: code-server
subjects:
-kind: ServiceAccount
name: server-controller
namespace: code-server
roleRef:
kind: Role
name server-controller
apiGroup: rbac.authorization.k8s.io下面的python代码片段显示了我对API的访问权限:
kubernetes.config.load_incluster_config()
app = kubernetes.client.AppsV1Api()
body = {"spec": {"replicas": 1}}
app.patch_namespaced_stateful_set_scale(
name="jim",
namespace="code-server",
body=body)我得到以下错误:
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache", 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Fri, 15 Oct 2021 15:25:24 GMT', 'Content-Length': '469'})
HTTP response Body: {
"kind": "Status",
"apiVersion": "v1"
"metadata": {
}
"status": "Failure",
"message": "statefulsets.apps \"jim\" is forbidden: User \"system:serviceaccount:code-server:server-controller\" cannot patch resource \"statefulsets/scale\" in API group \"apps\" in the namespace \"code-server\"",
"reason": "Forbidden",
"details": {
"name": "jim",
"group": "apps",
"kind": "statefulesets"
}
"code": 403
}回答 1
Stack Overflow用户
发布于 2021-10-21 17:09:32
解决方案是将“角色”下“资源”字段中的"statefulsets“更改为"statefulsets/scale”。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/69587353
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号