就像你说的那样,我创建了另一个pod,它是同类的:job,并包含script.sh.
在script.sh文件中;kubectl exec"到主吊舱运行几个命令
脚本被执行,但我得到错误";无法创建资源";API组中的pods/exec";
因此,我用resources创建了一个clusterrole:["pods/exec"],并使用ClusterRoleBinding 将其绑定到默认服务帐户
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-account-role-binding
namespace: default
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
In the pod which is of kind:job, I include the service account like shown below
restartPolicy: Never
serviceAccountName: default
but I still get the same error. What am I doing wrong here ?
Error from server (Forbidden): pods "mongo-0" is forbidden: User "system:serviceaccount:default:default" cannot create resource "pods/exec" in API group "" in the namespace "default"
如果这是需要定期运行以进行维护的东西,请查看Kubernetes守护进程集对象。