问题描述
我正在尝试为需要持久卷的服务创建 RBAC角色/规则,但仍然失败,并出现 forbidden 错误.
I'm trying to create RBAC Role / rules for a service that needs a persistent volume and it's still failing with forbidden error.
这是我的角色配置:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: logdrop-user-full-access
namespace: logdrop
rules:
- apiGroups: ["", "extensions", "apps", "autoscaling"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
这是我削减的 PersistentVolume 清单:
apiVersion: v1
kind: PersistentVolume
metadata:
name: logdrop-pv
namespace: logdrop
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
claimRef:
namespace: logdrop
name: logdrop-pvc
hostPath:
path: /efs/logdrop/logdrop-pv
当我尝试应用它时,我收到了一个禁止的错误.
When I try to apply it I get a forbidden error.
$ kubectl --kubeconfig ~/logdrop/kubeconfig-logdrop.yml apply -f pv-test.yml
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=persistentvolumes", GroupVersionKind: "/v1, Kind=PersistentVolume"
Name: "logdrop-pv", Namespace: ""
Object: &{map["apiVersion":"v1" "kind":"PersistentVolume" "metadata":map["annotations":map["kubectl.kubernetes.io/last-applied-configuration":""] "name":"logdrop-pv"] "spec":map["accessModes":["ReadWriteMany"] "capacity":map["storage":"10Gi"] "claimRef":map["name":"logdrop-pvc" "namespace":"logdrop"] "hostPath":map["path":"/efs/logdrop/logdrop-pv"] "persistentVolumeReclaimPolicy":"Retain"]]}
from server for: "pv-test.yml": persistentvolumes "logdrop-pv" is forbidden: User "system:serviceaccount:logdrop:logdrop-user" cannot get resource "persistentvolumes" in API group "" at the cluster scope
在最后一行特别指出resource "persistentvolumes" in API group ""-这就是我在规则中所允许的!
On the last line it specifically says resource "persistentvolumes" in API group "" - that's what I have allowed in the rules!
我可以从同一个yaml文件中使用 admin 凭据创建PV,并且可以使用 logdrop 权限创建任何其他资源(吊舱,服务等).出于某些原因,只是 PersistentVolume 不起作用.知道为什么吗?
I can create the PV with admin credentials from the same yaml file and I can create any other resources (pods, services, etc) with the logdrop permissions. Just the PersistentVolume doesn't work for some reason. Any idea why?
我正在使用Kubernetes 1.15.0.
I'm using Kubernetes 1.15.0.
更新:
这是我根据要求绑定的角色:
This is my role binding as requested:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: logdrop-user-view
namespace: logdrop
subjects:
- kind: ServiceAccount
name: logdrop-user
namespace: logdrop
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: logdrop-user-full-access
这不是ClusterRoleBinding,因为我的意图是使用户只能访问一个名称空间(logdrop),而不访问整个群集中的所有名称空间.
It's not a ClusterRoleBinding as my intention is to give the user access only to one namespace (logdrop), not to all namespaces across the cluster.
推荐答案
我在这里看到了潜在的问题.
I see a potential problem here.
PersistentVolumes是cluster scoped resources.管理员应在没有任何名称空间的情况下配置它们.
PersistentVolumes are cluster scoped resources. They are expected to be provisioned by the administrator without any namespace.
PersistentVolumeClaims可以由特定名称空间中的用户创建,因为它们是namespaced resources.
PersistentVolumeClaims however, can be created by users within a particular namespace as they are a namespaced resources.
这就是为什么当您使用admin凭据时它可以工作,但是使用logdrop时它会返回错误.
That's why when you use admin credentials it works but with logdrop it returns an error.
请让我知道这是否合理.
Please let me know if that makes sense.
这篇关于Kubernetes PersistentVolume的RBAC规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!