我需要创建可以访问GKE群集的ServiceAccounts。在内部,我使用以下命令执行此操作:
kubectl create serviceaccount onboarding --namespace kube-system
kubectl apply -f onboarding.clusterrole.yaml
kubectl create clusterrolebinding onboarding --clusterrole=onboarding --serviceaccount=kube-system:onboarding
文件
onboarding.clusterrole.yaml的内容如下所示:apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: onboarding
rules:
- apiGroups:
- '*'
resources:
- 'namespace,role,rolebinding,resourcequota'
verbs:
- '*'
ServiceAccount资源已按预期创建,并且ClusterRole和ClusterRoleBinding也看起来正确,但是当我尝试使用此新角色访问API时,身份验证失败。
curl -k -X GET -H "Authorization: Bearer [REDACTED]" https://36.195.83.167/api/v1/namespaces
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "namespaces is forbidden: User \"system:serviceaccount:kube-system:onboarding\" cannot list namespaces at the cluster scope: Unknown user \"system:serviceaccount:kube-system:onboarding\"",
"reason": "Forbidden",
"details": {
"kind": "namespaces"
},
"code": 403
响应表明用户未知,但我确认ServiceAccount存在并且在ClusterRoleBinding的主题中。是否可以通过这种方式为GKE定义ServiceAccount?
我正在数据中心中运行的kubernetes集群上成功使用了确切的过程。
最佳答案
GKE应该具有相同的过程。您的kubectl版本是否与GKE集群的版本匹配?不知道这是否是问题,但是ClusterRole需要使用复数形式的资源,并且资源表示为列表:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: onboarding
rules:
- apiGroups:
- '*'
resources:
- namespaces
- roles
- rolebindings
- resourcequotas
verbs:
- '*'
在K8s 1.11.x上为我工作:
curl -k -X GET -H "Authorization: Bearer [REDACTED]" https://127.0.0.1:6443/api/v1/namespaces
{
"kind": "NamespaceList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/namespaces",
"resourceVersion": "12345678"
},
...
关于kubernetes - GKE中的ServiceAccount验证失败,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/52630591/