您的
我正试图授予命名空间中的默认服务帐户读取入口资源的能力。我希望能够读取集群的所有入口资源,这是否需要ClusterRole?这就是我一直在尝试的角色和绑定。kubectl命令CCD_ 1也返回";否";
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-namespace
name: my-ingress-reader
rules:
- apiGroups: ["", "networking.k8s.io", "networking", "extensions"] # "" indicates the core API group
resources: ["ingress"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-ingress-reader
namespace: my-namespace
subjects:
- kind: ServiceAccount
name: default
namespace: my-namespace
roleRef:
kind: Role
name: my-ingress-reader
apiGroup: rbac.authorization.k8s.io
您的Role rules使用了不正确的api资源,即resources: ["ingress"],它必须是resources: ["ingresses"]
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-namespace
name: my-ingress-reader
rules:
- apiGroups: ["", "networking.k8s.io", "networking", "extensions"] # "" indicates the core API group
resources: ["ingresses"]
verbs: ["get", "watch", "list"]
要检查正确的api资源,可以使用以下命令
root@controlplane:~# kubectl api-resources | grep -i ingress
ingresses ing extensions/v1beta1 true Ingress
ingressclasses networking.k8s.io/v1 false IngressClass
ingresses ing networking.k8s.io/v1 true Ingress