kubernetes api:禁止失败的403个pod:用户"system:serviceaccount:default:journalbeat";无法列出资源"pod"在API组“"中 [英] kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:default:journalbeat" cannot list resource "pods" in API group ""
本文介绍了kubernetes api:禁止失败的403个pod:用户"system:serviceaccount:default:journalbeat";无法列出资源"pod"在API组“"中的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
不知道这里出了什么问题,因为我已经赋予了正确的特权,但是仍然会出现禁止的错误.
Not sure what is wrong here as I have given the correct privileges but still getting forbidden error.
我正在将以下Yamls用于ClusterRole,ClusterRoleBinding和ServiceAccount.
I am using following yamls for ClusterRole, ClusterRoleBinding and ServiceAccount.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: journalbeat
rules:
- apiGroups:
- extensions
resourceNames:
- journalbeat
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- ""
resources:
- namespaces
- pods
verbs:
- get
- watch
- list
Rolebinding.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: journalbeat
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: journalbeat
subjects:
- kind: ServiceAccount
name: journalbeat
namespace: journalbeat
ServiceAccount
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: journalbeat
- journalbeat pod的错误日志
$ kubectl logs -f journalbeat-4thzj
2020-06-24T06:30:34.947Z INFO instance/beat.go:606 Home path: [/usr/share/journalbeat] Config path: [/usr/share/journalbeat] Data path: [/usr/share/journalbeat/data] Logs path: [/usr/share/journalbeat/logs]
2020-06-24T06:30:34.952Z INFO instance/beat.go:614 Beat ID: dd2ed096-8ad0-4e7d-86f8-340acfcddd1d
2020-06-24T06:30:34.953Z INFO kubernetes/util.go:71 kubernetes: Using node ip-172-28-20-76 provided in the config
2020-06-24T06:30:34.953Z INFO kubernetes/watcher.go:182 kubernetes: Performing a resource sync for *v1.PodList
2020-06-24T06:30:34.961Z ERROR kubernetes/watcher.go:185 kubernetes: Performing a resource sync err kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:default:journalbeat" cannot list resource "pods" in API group "" at the cluster scope for *v1.PodList
2020-06-24T06:30:34.961Z INFO instance/beat.go:366 journalbeat stopped.
2020-06-24T06:30:34.961Z ERROR instance/beat.go:877 Exiting: error initializing processors: kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:default:journalbeat" cannot list resource "pods" in API group "" at the cluster scope
Exiting: error initializing processors: kubernetes api: Failure 403 pods is forbidden: User "system:serviceaccount:default:journalbeat" cannot list resource "pods" in API group "" at the cluster scope
也
$ kubectl auth can-i get pods --as system:serviceaccount:default:journalbeat
no
推荐答案
您的ServiceAccount位于默认名称空间中,因此请按照以下说明修改 ClusterRoleBinding ,
Your ServiceAccount is in default namespace, so modify the ClusterRoleBinding like following,
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: journalbeat
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: journalbeat
subjects:
- kind: ServiceAccount
name: journalbeat
namespace: default # as your ServiceAccount is in default namespace
这篇关于kubernetes api:禁止失败的403个pod:用户"system:serviceaccount:default:journalbeat";无法列出资源"pod"在API组“"中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
