那么有谁确切地知道我需要在我的服务帐户yaml中放入什么,以便在我尝试通过REST API列出内容时不会被拒绝访问我的服务帐户: curl https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/persistentvolumeclaims -X GET -k -H "Authorization: Bearer $(cat/var/run/secrets/kubernetes.io/serviceaccount/token(" 用户"system:serviceaccount:default:my-service-service-account"不能在命名空间"default"中列出持久卷声明。
我的 RBAC 服务帐户在 YAML 中设置如下:
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.service.name }}-service-account
labels:
app: {{ .Values.service.name }}
automountServiceAccountToken: true
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: {{ .Values.service.name }}-role
labels:
app: {{ .Values.service.name }}
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list","delete"]
- apiGroups: [""] # "" indicates the core API group
resources: ["persistentvolumeclaims"]
verbs: ["get", "watch", "list","delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ .Values.service.name }}-role-binding
labels:
app: {{ .Values.service.name }}
subjects:
- kind: ServiceAccount
# Reference to upper's `metadata.name`
name: {{ .Values.service.name }}-service-account
# Reference to upper's `metadata.namespace`
namespace: default
roleRef:
kind: Role
name: {{ .Values.service.name }}-role
apiGroup: rbac.authorization.k8s.io
您显示的角色仅允许对默认命名空间中的 pod 具有获取/列出/监视/删除权限
如果需要列出持久卷声明的权限,还需要在角色中包含该谓词和资源