Kubernetes 日志,用户“system:serviceaccount:default:default"无法获取命名空间中的服务 [英] Kubernetes log, User "system:serviceaccount:default:default" cannot get services in the namespace
问题描述
禁止!配置的服务帐户无权访问.服务帐户可能已被撤销.用户system:serviceaccount:default:default"无法获取命名空间mycomp-services-process"中的服务
对于上述问题,我创建了mycomp-service-process"命名空间并检查了问题.
For the above issue I have created "mycomp-service-process" namespace and checked the issue.
但它再次显示如下消息:
But it shows again message like this:
消息:禁止!配置的服务帐户无权访问.服务帐户可能已被撤销.用户system:serviceaccount:mycomp-services-process:default"无法获取命名空间mycomp-services-process"中的服务
推荐答案
创建命名空间当然不能解决问题,因为这根本不是问题.
Creating a namespace won't, of course, solve the issue, as that is not the problem at all.
在第一个错误中,问题是默认命名空间中的 serviceaccount
默认无法获取服务
,因为它无权访问列表/获取服务.因此,您需要做的是使用 clusterrolebinding
为该用户分配角色.
In the first error the issue is that serviceaccount
default in default namespace can not get services
because it does not have access to list/get services. So what you need to do is assign a role to that user using clusterrolebinding
.
按照最低权限集,您可以首先创建一个有权访问列表服务的角色:
Following the set of minimum privileges, you can first create a role which has access to list services:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: service-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["services"]
verbs: ["get", "watch", "list"]
上面的代码片段所做的是创建一个可以列出、获取和观看服务的集群角色.(您必须创建一个 yaml 文件并应用上述规范)
What above snippet does is create a clusterrole which can list, get and watch services. (You will have to create a yaml file and apply above specs)
现在我们可以使用这个集群角色来创建一个集群角色绑定:
Now we can use this clusterrole to create a clusterrolebinding:
kubectl create clusterrolebinding service-reader-pod
--clusterrole=service-reader
--serviceaccount=default:default
在上面的命令中,service-reader-pod
是 clusterrolebinding 的名称,它将 service-reader clusterrole 分配给默认命名空间中的默认 serviceaccount.对于您面临的第二个错误,可以执行类似的步骤.
In above command the service-reader-pod
is name of clusterrolebinding and it is assigning the service-reader clusterrole to default serviceaccount in default namespace. Similar steps can be followed for the second error you are facing.
在本例中,我创建了 clusterrole
和 clusterrolebinding
但您可能想要创建一个 role
和 rolebinding
.您可以在此处详细查看文档
In this case I created clusterrole
and clusterrolebinding
but you might want to create a role
and rolebinding
instead. You can check the documentation in detail here
这篇关于Kubernetes 日志,用户“system:serviceaccount:default:default"无法获取命名空间中的服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!