V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
lasuar
V2EX  ›  Kubernetes

k8s 的服务账户绑定角色后仍然没有权限

  •  
  •   lasuar · 356 天前 · 1047 次点击
    这是一个创建于 356 天前的主题,其中的信息可能已经有所发展或是发生改变。

    就创建了一个简单的角色绑定了服务账户 sa1 ,然后在 pod 内测试访问,没权限; 以下是现场,有无老哥帮忙看一下

    $ kubectl describe role pod-reader      
    Name:         pod-reader
    Labels:       <none>
    Annotations:  <none>
    PolicyRule:
      Resources  Non-Resource URLs  Resource Names  Verbs
      ---------  -----------------  --------------  -----
      pods       []                 []              [get watch list]
    
    # Focusing on [sa1]
    $ kubectl describe rolebinding read-pods  
    Name:         read-pods
    Labels:       <none>
    Annotations:  <none>
    Role:
      Kind:  Role
      Name:  pod-reader
    Subjects:
      Kind            Name   Namespace
      ----            ----   ---------
      User            user2  
      User            user3  
      ServiceAccount  sa1   
    
    $ cat pod_associate_serviceaccount.yaml 
    apiVersion: v1
    kind: Pod
    metadata:
      name: nginx-sa-longtime
      labels:
        app: nginx
    spec:
      serviceAccountName: sa1
      containers:
        - name: nginx-container
          image: nginx
    
    # Enter container to test with curl, got 403
    $ kubectl exec -it nginx-sa-longtime -- bash   
    root@nginx-sa-longtime:/# TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
    root@nginx-sa-longtime:/# CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    root@nginx-sa-longtime:/# curl --cacert $CACERT --header "Authorization: Bearer $TOKEN" https://kubernetes.default.svc.cluster.local/api/v1/namespaces/defaut/pods
    {
      "kind": "Status",
      "apiVersion": "v1",
      "metadata": {},
      "status": "Failure",
      "message": "pods is forbidden: User \"system:serviceaccount:default:sa1\" cannot list resource \"pods\" in API group \"\" in the namespace \"defaut\"",
      "reason": "Forbidden",
      "details": {
        "kind": "pods"
      },
      "code": 403
    }
    
    3 条回复    2023-11-23 09:27:05 +08:00
    evill
        1
    evill  
       356 天前   ❤️ 1
    namespace 的名字错误 defaut -> default

    "message": "pods is forbidden: User \"system:serviceaccount:default:sa1\" cannot list resource \"pods\" in API group \"\" in the namespace \"defaut\"", <--------
    dllall
        2
    dllall  
       356 天前   ❤️ 1
    defaut?
    lasuar
        3
    lasuar  
    OP
       356 天前
    感谢 @evill @dllall
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5846 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 25ms · UTC 06:16 · PVG 14:16 · LAX 22:16 · JFK 01:16
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.