我正在开发与Kubernetes进行交互的工具。我具有允许所有身份验证提供程序的OpenShift设置。我可以按预期登录Web控制台。
我还能够设置一个服务帐户,并为该服务帐户用户分配一个群集角色绑定(bind)。尽管如此,当我使用该服务帐户的 token 访问REST API时,我被禁止了。
当我尝试通过OpenShift命令设置角色绑定(bind)时,会发生以下情况:
[root@host1 ~]# oadm policy add-cluster-role-to-user view em7 --namespace=default
[root@host1 ~]# oadm policy add-cluster-role-to-user cluster-admin em7 --namespace=default
[root@host1 ~]# oadm policy add-cluster-role-to-user cluster-reader em7 --namespace=default
[root@host1 ~]# oc get secrets | grep em7
em7-dockercfg-hnl6m kubernetes.io/dockercfg 1 18h
em7-token-g9ujh kubernetes.io/service-account-token 4 18h
em7-token-rgsbz kubernetes.io/service-account-token 4 18h
TOKEN=`oc describe secret em7-token-g9ujh | grep token: | awk '{ print $2 }'`
[root@host1 ~]# curl -kD - -H "Authorization: Bearer $TOKEN" https://localhost:8443/api/v1/pods
HTTP/1.1 403 Forbidden
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 19 Jun 2018 15:36:40 GMT
Content-Length: 260
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "User \"system:serviceaccount:default:em7\" cannot list all pods in the cluster",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
我也可以尝试使用(Openshift Admin Token)中的yaml文件:
#创建服务帐户“ns-reader”
apiVersion:v1
种类:ServiceAccount
元数据:
名称:ns-reader
命名空间:默认
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: global-reader
rules:
- apiGroups: [""]
# add other rescources you wish to read
resources: ["pods", "secrets"]
verbs: ["get", "watch", "list"]
---
# This cluster role binding allows service account "ns-reader" to read pods in all available namespace
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-ns
subjects:
- kind: ServiceAccount
name: ns-reader
namespace: default
roleRef:
kind: ClusterRole
name: global-reader
apiGroup: rbac.authorization.k8s.io
运行此命令时,出现以下错误:
[root@host1 ~]# kubectl create -f stack_overflow_49667238.yaml
error validating "stack_overflow_49667238.yaml": error validating data: API version "rbac.authorization.k8s.io/v1" isn't supported, only supports API versions ["federation/v1beta1" "v1" "authentication.k8s.io/v1beta1" "componentconfig/v1alpha1" "policy/v1alpha1" "rbac.authorization.k8s.io/v1alpha1" "apps/v1alpha1" "authorization.k8s.io/v1beta1" "autoscaling/v1" "extensions/v1beta1" "batch/v1" "batch/v2alpha1"]; if you choose to ignore these errors, turn validation off with --validate=false
我从列表中尝试了几种不同的API版本,但它们均以类似的方式失败。
最佳答案
oadm policy add-cluster-role-to-user view em7授予名为em7的用户
您需要向服务帐户授予权限,例如oadm policy add-cluster-role-to-user view system:serviceaccount:default:em7