通过Serviceaccount具有RBAC角色的CronJob Pod不断抛出禁止错误

我想通过cronjob从Pod为特定用例运行状态集补丁。为此，我使用自定义服务帐户、角色和角色绑定创建了以下计划，以允许Pod使用补丁动词访问应用程序api组，但我一直遇到以下错误：

Error from server (Forbidden): statefulsets.apps "test-statefulset" is forbidden: User "system:serviceaccount:test-namespace:test-serviceaccount" cannot get resource "statefulsets" in API group "apps" in the namespace "test-namespace"

我的k8s计划：

apiVersion: v1
kind: ServiceAccount
metadata:
labels:
env: test
name: test-serviceaccount
namespace: test-namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
env: test
name: test-role
namespace: test-namespace
rules:
- apiGroups:
- apps/v1
resourceNames:
- test-statefulset
resources:
- statefulsets
verbs:
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
name: test-binding
namespace: test-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: test-role
subjects:
- kind: ServiceAccount
name: test-serviceaccount
namespace: test-namespace
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
labels:
name:test-job
namespace: test-namespace
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 3
jobTemplate:
metadata:
labels:
env: test
spec:
activeDeadlineSeconds: 900
backoffLimit: 1
parallelism: 1
template:
metadata:
labels:
env: test
spec:
containers:
- args:
- kubectl -n test-namespace patch statefulset test-statefulset -p '{"spec":{"replicas":0}}'
- kubectl -n test-namespace patch statefulset test-statefulset -p '{"spec":{"replicas":1}}'
command:
- /bin/sh
- -c
image: bitnami/kubectl
restartPolicy: Never
serviceAccountName: test-serviceaccount
schedule: '*/5 * * * *'
startingDeadlineSeconds: 300
successfulJobsHistoryLimit: 3
suspend: false

到目前为止要调试：

我已经检查了pod和serviceaccount关联是否按预期工作，看起来确实如此。我看到cronjob启动的Pod上安装的secret的名称是正确的。
使用了一个更简单的角色，其中apiGroups是"即所有核心组，并试图"；获取吊舱"；从那个吊舱，同样的错误

角色描述：

Name:         test-role
Labels:       env=test
Annotations:  <none>
PolicyRule:
Resources             Non-Resource URLs  Resource Names   Verbs
---------             -----------------  --------------   -----
statefulsets.apps/v1  []                 [test-statefulset]  [patch]

角色绑定描述：

Name:         test-binding
Labels:       env=test
Annotations:  <none>
Role:
Kind:  Role
Name:  test-role
Subjects:
Kind            Name                Namespace
----            ----                ---------
ServiceAccount  test-serviceaccount  test-namespace

有状态集需要两个动词来应用补丁：获取并修补。单靠补丁是不行的

相关内容

最新更新

热门标签：