Kubernetes 日志，用户“system:serviceaccount:default:default"无法获取命名空间中的服务 [英] Kubernetes log, User "system:serviceaccount:default:default" cannot get services in the namespace

问题描述

禁止！配置的服务帐户无权访问.服务帐户可能已被撤销.用户system:serviceaccount:default:default"无法获取命名空间mycomp-services-process"中的服务

对于上述问题，我创建了mycomp-service-process"命名空间并检查了问题.

For the above issue I have created "mycomp-service-process" namespace and checked the issue.

但它再次显示如下消息:

But it shows again message like this:

消息:禁止！配置的服务帐户无权访问.服务帐户可能已被撤销.用户system:serviceaccount:mycomp-services-process:default"无法获取命名空间mycomp-services-process"中的服务

推荐答案

创建命名空间当然不能解决问题，因为这根本不是问题.

Creating a namespace won't, of course, solve the issue, as that is not the problem at all.

在第一个错误中，问题是默认命名空间中的 serviceaccount 默认无法获取服务，因为它无权访问列表/获取服务.因此，您需要做的是使用 clusterrolebinding 为该用户分配角色.

In the first error the issue is that serviceaccount default in default namespace can not get services because it does not have access to list/get services. So what you need to do is assign a role to that user using clusterrolebinding.

按照最低权限集，您可以首先创建一个有权访问列表服务的角色:

Following the set of minimum privileges, you can first create a role which has access to list services:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: service-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["services"]
  verbs: ["get", "watch", "list"]

上面的代码片段所做的是创建一个可以列出、获取和观看服务的集群角色.(您必须创建一个 yaml 文件并应用上述规范)

What above snippet does is create a clusterrole which can list, get and watch services. (You will have to create a yaml file and apply above specs)

现在我们可以使用这个集群角色来创建一个集群角色绑定:

Now we can use this clusterrole to create a clusterrolebinding:

kubectl create clusterrolebinding service-reader-pod 
  --clusterrole=service-reader  
  --serviceaccount=default:default

在上面的命令中，service-reader-pod 是 clusterrolebinding 的名称，它将 service-reader clusterrole 分配给默认命名空间中的默认 serviceaccount.对于您面临的第二个错误，可以执行类似的步骤.

In above command the service-reader-pod is name of clusterrolebinding and it is assigning the service-reader clusterrole to default serviceaccount in default namespace. Similar steps can be followed for the second error you are facing.

在本例中，我创建了 clusterrole 和 clusterrolebinding 但您可能想要创建一个 role 和 rolebinding.您可以在此处详细查看文档

In this case I created clusterrole and clusterrolebinding but you might want to create a role and rolebinding instead. You can check the documentation in detail here

这篇关于Kubernetes 日志，用户“system:serviceaccount:default:default"无法获取命名空间中的服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！