我不能将这个ClusterRole应用到我的管理集群来添加rbac。授权后,我对我的用户集群使用了相同的yaml文件,没有问题。
如何解决这个问题?
可能是kubecconfig文件的问题吗?
ubuntu@anth-mgt-wksadmin:~$ cat cloud-console-reader.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cloud-console-reader
rules:
apiGroups: [""]
resources: ["nodes", "persistentvolumes"]
verbs: ["get", "list", "watch"]
apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
ubuntu@anth-mgt-wksadmin:~$ kubectl apply -f cloud-console-reader.yaml --kubeconfig kubeconfig
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "rbac.authorization.k8s.io/v1, Resource=clusterroles", GroupVersionKind: rbac.authorization.k8s.io/v1, Kind=ClusterRole" Name: "cloud-console-reader", Namespace: ""
from server for: "cloud-console-reader.yaml": clusterroles.rbac.authorization.k8s.io "cloud-console-reader" is forbidden: User "system:node:anth-admin-host1" cannot get resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
ubuntu@anth-mgt-wksadmin:~$ kubectl get nodes --kubeconfig kubeconfig
NAME STATUS ROLES AGE VERSION
anth-admin-host1 Ready control-plane,master 7d4h v1.20.5-gke.1301
anth-admin-host3 Ready 3h50m v1.20.5-gke.1301
anth-admin-host4 Ready 6d7h v1.20.5-gke.1301
anth-admin-host5 Ready 3h48m v1.20.5-gke.1301
ubuntu@anth-mgt-wksadmin:~$ kubectl cluster-info dump --kubeconfig kubeconfig |tail -1
Error from server (Forbidden): events is forbidden: User "system:node:anth-admin-host1" cannot list resource "events" in API group "" in the namespace "kube-system"
}
问题解决了
我已经将admin.conf文件从一个管理集群节点复制到管理工作站,并重命名为kubecconfig
root@anth-admin-host1:~# cat/etc/kubernetes/admin.confapiVersion: v1集群:
现在都好了!
我尝试在我的环境中重新格式化您的YAML文件,并注意到一些缩进更改可以解决您的错误:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Metadata:
name: cloud-console-reader
rules:
- apiGroups: [""]
resources: ["nodes", "persistentvolumes"]
verbs: ["get", "list", "watch"]
apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
注意事项:
Clusterrole也可以使用kubectl在一行中创建:
kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
确保RBAC应该被启用。
如果启用了RBAC并且部署控制器缺少部署控制器pod中定义的服务帐户。通过添加此SA及其角色/绑定,您应该能够轻松缓解此问题。有两种方法,您可以使用简单的一行代码或YAML方式创建绑定:
将权限授予"cluster-admin";
将ClusterRole分配给名为"root"的用户。kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=root
kubecconfig文件可以来自可信资源,也可以是特制的。下面是制作kubecconfig文件的一些步骤。也可以合并kubecconfig文件。