我正在运行kubernetes v1.11.5,并为每个 namespace 安装了分till部署的 Helm 。
让我们集中于一个 namespace 。这是分er服务帐户配置:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: marketplace-int
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
namespace: marketplace-int
rules:
- apiGroups:
- ""
- extensions
- apps
- rbac.authorization.k8s.io
- roles.rbac.authorization.k8s.io
- authorization.k8s.io
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-binding
namespace: marketplace-int
subjects:
- kind: ServiceAccount
name: tiller
namespace: marketplace-int
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io
当我尝试部署图表时,出现此错误:
Error: release citest failed: roles.rbac.authorization.k8s.io "marketplace-int-role-ns-admin" is forbidden:
attempt to grant extra privileges:
[{[*] [*] [*] [] []}] user=&{system:serviceaccount:marketplace-int:tiller 5c6af739-1023-11e9-a245-0ab514dfdff4
[system:serviceaccounts system:serviceaccounts:marketplace-int system:authenticated] map[]}
ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []}
{[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}
{[*] [ extensions apps rbac.authorization.k8s.io roles.rbac.authorization.k8s.io authorization.k8s.io] [*] [] []}] ruleResolutionErrors=[]
尝试为该 namespace (使用tiller sa)创建rbac配置时出现错误:
# Source: marketplace/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: citest
chart: marketplace-0.1.0
heritage: Tiller
release: citest
namespace: marketplace-int
name: marketplace-int-role-ns-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
该错误消息清楚地表明分service服务帐户没有
roles.rbac.authorization.k8s.io的权限,但已如先前所示授予了该权限。$kubectl describe role tiller-manager
Name: tiller-manager
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"tiller-manager","namespace":"marketplace-i...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [*]
*.apps [] [] [*]
*.authorization.k8s.io [] [] [*]
*.extensions [] [] [*]
*.rbac.authorization.k8s.io [] [] [*]
*.roles.rbac.authorization.k8s.io [] [] [*]
老实说,我不完全理解该错误消息以检查
ownerrules是否正常,并且我试图找出这似乎与角色描述有关的消息是什么意思:{[*] [*] [*] [] []}关于我缺少哪些权限的任何线索?
最佳答案
这是由于RBAC中的权限升级阻止。有关详细信息,请参见https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping。
创建角色对象的权限是必要的,但还不够。
如果满足以下至少一项条件,则用户只能创建/更新角色:
apiGroups=*, resources=*, verbs=*权限。您可以通过使用角色绑定(bind)将cluster-admin clusterrole授予该 namespace 中的serviceaccount来授予此权限。 关于kubernetes - 即使在apiGroups中也禁止roles.rbac.authorization.k8s.io,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/54043691/