k8s gce1.8.7-禁止播客-未知的用户系统:serviceaccount:default:default [英] k8s gce1.8.7 - pods is forbidden - Unknown user system:serviceaccount:default:default
问题描述
我在gce中有一个mongo数据库. (配置请参见下文)
I have a mongo database in the gce . (config see below)
当我将其部署到 1.7.12-gke.1 时,一切正常.这意味着Sidecar会解析pod和链接
when i deploy it to a 1.7.12-gke.1 everything works fine. Which means the sidecar resolves the pods and links then
现在,当我将相同的配置部署到 1.8.7-gke.1 时,会导致缺少列出Pod的权限,见下文.
now when i deploy the same konfiguration to 1.8.7-gke.1 resultes in missing permissions to list pods see below.
我不知道发生了什么变化.我假设我需要为用户帐户分配特定权限,对吗?
I don't get the point what has changed . I assume i need to assign specific permissions to the user account is that right ?
我想念什么?
错误日志
message: 'pods is forbidden: User "system:serviceaccount:default:default" cannot list pods at the cluster scope: Unknown user "system:serviceaccount:default:default"',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | status: 'Failure',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | metadata: {},
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | apiVersion: 'v1',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | { kind: 'Status',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | message:
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | Error in workloop { [Error: [object Object]]
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | statusCode: 403 }
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | code: 403 },
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | details: { kind: 'pods' },
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | reason: 'Forbidden',
配置:
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: fast
provisioner: kubernetes.io/gce-pd
parameters:
type: pd-ssd
---
apiVersion: v1
kind: Service
metadata:
name: mongo
labels:
name: mongo
spec:
ports:
- port: 27017
targetPort: 27017
clusterIP: None
selector:
role: mongo
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: mongo
spec:
serviceName: "mongo"
replicas: 3
template:
metadata:
labels:
role: mongo
environment: test
spec:
terminationGracePeriodSeconds: 10
containers:
- name: mongo
image: mongo:3.4.9
command:
- mongod
- "--replSet"
- rs0
- "--smallfiles"
- "--noprealloc"
ports:
- containerPort: 27017
volumeMounts:
- name: mongo-persistent-storage
mountPath: /data/db
- name: mongo-sidecar
image: cvallance/mongo-k8s-sidecar
env:
- name: MONGO_SIDECAR_POD_LABELS
value: "role=mongo,environment=test"
volumeClaimTemplates:
- metadata:
name: mongo-persistent-storage
annotations:
volume.beta.kubernetes.io/storage-class: "fast"
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 5Gi
推荐答案
根据原始解决方案:您必须创建角色绑定,这将授予默认服务帐户查看权限:
You have to create role binding which will grant the default service account view permissions:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: default-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: default
namespace: default
这篇关于k8s gce1.8.7-禁止播客-未知的用户系统:serviceaccount:default:default的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!