尝试使用自定义服务帐户创建Pod时出现403错误 [英] Getting 403 error while trying to create Pods using Custom Service Account
问题描述
我在k8s集群中创建了以下对象.
- 命名空间( testpsp )
- 自定义服务帐户( testuser )
- 角色和RoleBindings通过.清单文件
请在下面的yaml文件中查看Role和RoleBinding资源.
$ cat developer.yamlapiVersion:rbac.authorization.k8s.io/v1种类:角色元数据:名称:开发人员命名空间:testpsp规则:-apiGroups:-"资源:-豆荚动词:- 得到- 创造-apiGroups:-扩展- 应用资源:-部署-复制集动词:-'*'
$ cat developer-binding.yamlapiVersion:rbac.authorization.k8s.io/v1种类:RoleBinding元数据:名称:开发人员绑定命名空间:testpsp角色参考:apiGroup:rbac.authorization.k8s.io种类:角色名称:开发人员学科:-种类:ServiceAccount名称:testuser
正如您在上述角色清单文件中所看到的,我已将 Pod 资源上的 CREATE权限授予了 testuser 服务帐户.但是仍然我得到了错误.
错误
来自服务器的错误(禁止):创建"hello-pod.yaml"时出错:禁止使用pod:用户"testuser"无法在名称空间"testpsp"中的API组"中创建资源"pods"
这是Pod yaml文件.我在这里想念什么吗?
<代码>$ cat hello-pod.yamlapiVersion:v1种类:豆荚元数据:名称:hello-pod命名空间:testpsp规格:serviceAccountName:testuser容器:-名称:hello-kubernetes图片:paulbouwer/hello-kubernetes:1.5端口:-containerPort:8080
这是我正在运行的用于创建Pod的命令.
$ kubectl --as = testuser -n testpsp create -f hello-pod.yaml
在解决此问题时,我注意到,与其直接在kubectl命令的"as"标志中提及ServiceAccount名称,还需要使用以下格式
system:serviceaccount:< namespace_name>:< serviceaccount_name>
就我而言,它看起来像这样- system:serviceaccount:testpsp:testuser
此后,它开始正常运行.
I created following objects in k8s cluster.
- Namespace (testpsp)
- Custom ServiceAccount (testuser)
- Role and RoleBindings via. Manifest files
Please see below the yaml files for Role and RoleBinding resources.
$ cat developer.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
namespace: testpsp
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- create
- apiGroups:
- extensions
- apps
resources:
- deployments
- replicasets
verbs:
- '*'
$ cat developer-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-binding
namespace: testpsp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: developer
subjects:
- kind: ServiceAccount
name: testuser
As you can see in above mentioned role manifest file, I have given CREATE permission on Pod resource to testuser Service account. But still I am getting the error.
Error
Error from server (Forbidden): error when creating "hello-pod.yaml": pods is forbidden: User "testuser" cannot create resource "pods" in API group "" in the namespace "testpsp"
Here is the Pod yaml file. Am i missing anything here?
$ cat hello-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: hello-pod
namespace: testpsp
spec:
serviceAccountName: testuser
containers:
- name: hello-kubernetes
image: paulbouwer/hello-kubernetes:1.5
ports:
- containerPort: 8080
Here is the command that I'm running to create the Pod.
$ kubectl --as=testuser -n testpsp create -f hello-pod.yaml
while troubleshooting this issue, I noticed that instead of directly mentioning the ServiceAccount name in "as" flag in kubectl command, we need to use the following format
system:serviceaccount:<namespace_name>:<serviceaccount_name>
In my case, it will look like this - system:serviceaccount:testpsp:testuser
Afterwards, it started working fine.
这篇关于尝试使用自定义服务帐户创建Pod时出现403错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
