kubernetes v1.23.6
rancher-desktop v1.3.0
我试图从pod内部利用Kubernetes API HTTP端点。我有一个服务帐户设置,应该有访问API和返回数据的权限,但我无法得到任何有用的结果。
我得到一个403禁止的元素,我认为应该是可访问的ServiceAccount
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" https://kubernetes.default.svc/api/v1/default/pods/ubuntu
其中$KUBE_TOKEN为从/var/run/secrets/kubernetes.io/serviceaccount/token中读取的值
的回报:
https://kubernetes.default.svc/api/v1/default/pods/ubuntu
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "default "pods" is forbidden: User "system:serviceaccount:default:podkiller" cannot get resource "default/ubuntu" in API group "" at the cluster scope",
"reason": "Forbidden",
"details": {
"name": "pods",
"kind": "default"
},
"code": 403
我最初有Role而不是ClusterRole,这允许我使用API,之前任何请求都会返回禁止。
我看了其他一些帖子1 2 3,但似乎都是名字空间或不绑定角色和帐户的问题,我认为我已经做对了。
ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: podkiller
automountServiceAccountToken: true
ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: podkiller
rules:
- apiGroups: [""]
resources: ["pods","nodes"]
verbs: ["get", "watch", "list", "delete"]
ClusterRoleBinding
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: podkiller
subjects:
- kind: ServiceAccount
name: podkiller
namespace: default
roleRef:
kind: ClusterRole
name: podkiller
apiGroup: rbac.authorization.k8s.io
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
labels:
app: ubuntu
spec:
serviceAccountName: podkiller
automountServiceAccountToken: true
containers:
- image: ubuntu
command:
- "sleep"
- "604800"
imagePullPolicy: IfNotPresent
name: ubuntu
restartPolicy: Always
请问您的服务帐户podkiller驻留在哪个命名空间?我怀疑它不在名称空间default中,正如您的ClusterRoleBinding所指示的那样。将其更改为正确的名称空间可能会解决您的问题。
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: podkiller
subjects:
- kind: ServiceAccount
name: podkiller
namespace: default => correct namespace
roleRef:
kind: ClusterRole
name: podkiller
apiGroup: rbac.authorization.k8s.io