k8s gce1.8.7-禁止播客-未知的用户系统:serviceaccount:default:default [英] k8s gce1.8.7 - pods is forbidden - Unknown user system:serviceaccount:default:default

问题描述

我在gce中有一个mongo数据库. (配置请参见下文)

I have a mongo database in the gce . (config see below)

当我将其部署到 1.7.12-gke.1 时，一切正常.这意味着Sidecar会解析pod和链接

when i deploy it to a 1.7.12-gke.1 everything works fine. Which means the sidecar resolves the pods and links then

现在，当我将相同的配置部署到 1.8.7-gke.1 时，会导致缺少列出Pod的权限，见下文.

now when i deploy the same konfiguration to 1.8.7-gke.1 resultes in missing permissions to list pods see below.

我不知道发生了什么变化.我假设我需要为用户帐户分配特定权限，对吗?

I don't get the point what has changed . I assume i need to assign specific permissions to the user account is that right ?

我想念什么?

错误日志

message: 'pods is forbidden: User "system:serviceaccount:default:default" cannot list pods at the cluster scope: Unknown user "system:serviceaccount:default:default"',

mongo-sidecar | Feb 28, 2018, 11:04:19 AM | status: 'Failure',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | metadata: {},
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | apiVersion: 'v1',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | { kind: 'Status',
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | message:
mongo-sidecar | Feb 28, 2018, 11:04:19 AM | Error in workloop { [Error: [object Object]]
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | statusCode: 403 }
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | code: 403 },
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | details: { kind: 'pods' },
mongo-sidecar | Feb 28, 2018, 11:04:14 AM | reason: 'Forbidden',

配置:

---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: fast
provisioner: kubernetes.io/gce-pd
parameters:
  type: pd-ssd
---
apiVersion: v1
kind: Service
metadata:
  name: mongo
  labels:
    name: mongo
spec:
  ports:
  - port: 27017
    targetPort: 27017
  clusterIP: None
  selector:
    role: mongo
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: mongo
spec:
  serviceName: "mongo"
  replicas: 3
  template:
    metadata:
      labels:
        role: mongo
        environment: test
    spec:
      terminationGracePeriodSeconds: 10
      containers:
        - name: mongo
          image: mongo:3.4.9
          command:
            - mongod
            - "--replSet"
            - rs0
            - "--smallfiles"
            - "--noprealloc"
          ports:
            - containerPort: 27017
          volumeMounts:
            - name: mongo-persistent-storage
              mountPath: /data/db
        - name: mongo-sidecar
          image: cvallance/mongo-k8s-sidecar
          env:
            - name: MONGO_SIDECAR_POD_LABELS
              value: "role=mongo,environment=test"
  volumeClaimTemplates:
  - metadata:
      name: mongo-persistent-storage
      annotations:
        volume.beta.kubernetes.io/storage-class: "fast"
    spec:
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:

          storage: 5Gi

推荐答案

根据原始解决方案:您必须创建角色绑定，这将授予默认服务帐户查看权限:

You have to create role binding which will grant the default service account view permissions:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: default-view
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default

这篇关于k8s gce1.8.7-禁止播客-未知的用户系统:serviceaccount:default:default的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！