UDPDATED
我正试图通过部署在K8s上的pod中的curl获取资源
虽然我可以通过curl请求获取pod列表,但我不能访问configmap和节点。
这里是我正在使用的角色绑定(为pod工作(
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test-ro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", “configmaps”]
verbs: ["get","list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-cro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["nodes”]
verbs: ["get","list"]
当我试图获取节点列表时:
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/nodes
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "nodes is forbidden: User "system:serviceaccount:test:test" cannot list resource "nodes" in API group "" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "nodes"
},
配置映射也是如此:
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/configmaps
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "configmaps is forbidden: User "system:serviceaccount:test:test" cannot list resource "configmaps" in API group "" in the namespace "default"",
"reason": "Forbidden",
"details": {
"kind": "configmaps"
},
"code": 403
相反,它在吊舱上工作
可能是什么问题?RoleBinding的配置错误?
要让test-ro角色访问列表ConfigMaps,必须以复数形式指定资源名称。这可能是列出Pods有效,但列出ConfigMaps无效的原因。因此,角色应该这样指定:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test-ro
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "configmaps"]
verbs: ["get","list"]
列出节点需要一些不同的配置,因为节点是集群级资源,而不是命名空间资源。因此,必须在ClusterRole中授予nodes权限。
此外,用于列出节点的API url没有命名空间。正确的url应该是https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/nodes。
工作ClusterRole的一个例子可能是:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-clusterrole
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["nodes"]
verbs: ["get","list"]