从禁止的豆荚内列出豆荚 [英] Listing pods from inside a pod Forbidden
问题描述
我是kubernetes的新手.我正在尝试通过javascript客户端从容器/容器内部列出命名空间中的所有容器.
I'm new to kubernetes. I'm trying to list all the pods in a namespace from inside a pod/container via the javascript client.
import k8s = require('@kubernetes/client-node');
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const k8sApi = kc.makeApiClient(k8s.Core_v1Api);
k8sApi.listNamespacedPod('development')
.then((res) => {
console.log(res.body);
}).catch((err) => {
console.log(err);
});
当我查看pod日志时,响应错误:
The response error when I look at my pod logs:
{ kind: 'Status',
apiVersion: 'v1',
metadata: {},
status: 'Failure',
message:
'pods is forbidden: User "system:serviceaccount:default:default" cannot list pods in the namespace "development"',
reason: 'Forbidden',
details: { kind: 'pods' },
code: 403 } }
我认为我需要创建一个新用户或向角色添加一些权限,但是我不确定在哪里以及如何进行.谢谢
I believe I need to create a new User or add some permissions to a Role but I'm not sure where and how. Thanks
推荐答案
如@ Robert Panzer 在<一个href ="https://stackoverflow.com/questions/47813698/access-kubernetes-api-without-kubectl">访问没有Kubectl的Kubernetes API ,您可以创建一个角色和一个角色绑定以启用Pod的列表与:
As @Robert Panzer suggested in Access Kubernetes API without kubectl, you can create a role and a rolebinding to enable listing of pods with:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
这篇关于从禁止的豆荚内列出豆荚的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!