从禁止的豆荚内列出豆荚 [英] Listing pods from inside a pod Forbidden

问题描述

我是kubernetes的新手.我正在尝试通过javascript客户端从容器/容器内部列出命名空间中的所有容器.

I'm new to kubernetes. I'm trying to list all the pods in a namespace from inside a pod/container via the javascript client.

import k8s = require('@kubernetes/client-node');

const kc = new k8s.KubeConfig();
kc.loadFromDefault();

const k8sApi = kc.makeApiClient(k8s.Core_v1Api);

k8sApi.listNamespacedPod('development')
    .then((res) => {
        console.log(res.body);
    }).catch((err) => {
        console.log(err);
    });

当我查看pod日志时，响应错误:

The response error when I look at my pod logs:

{ kind: 'Status',
 apiVersion: 'v1',
 metadata: {},
 status: 'Failure',
 message:
  'pods is forbidden: User "system:serviceaccount:default:default" cannot list pods in the namespace "development"',
 reason: 'Forbidden',
 details: { kind: 'pods' },
 code: 403 } } 

我认为我需要创建一个新用户或向角色添加一些权限，但是我不确定在哪里以及如何进行.谢谢

I believe I need to create a new User or add some permissions to a Role but I'm not sure where and how. Thanks

推荐答案

如@ Robert Panzer 在<一个href ="https://stackoverflow.com/questions/47813698/access-kubernetes-api-without-kubectl">访问没有Kubectl的Kubernetes API ，您可以创建一个角色和一个角色绑定以启用Pod的列表与:

As @Robert Panzer suggested in Access Kubernetes API without kubectl, you can create a role and a rolebinding to enable listing of pods with:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-reader
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
roleRef:
  kind: ClusterRole
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

这篇关于从禁止的豆荚内列出豆荚的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！