就创建了一个简单的角色绑定了服务账户 sa1 ,然后在 pod 内测试访问,没权限; 以下是现场,有无老哥帮忙看一下
$ kubectl describe role pod-reader
Name: pod-reader
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get watch list]
# Focusing on [sa1]
$ kubectl describe rolebinding read-pods
Name: read-pods
Labels: <none>
Annotations: <none>
Role:
Kind: Role
Name: pod-reader
Subjects:
Kind Name Namespace
---- ---- ---------
User user2
User user3
ServiceAccount sa1
$ cat pod_associate_serviceaccount.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-sa-longtime
labels:
app: nginx
spec:
serviceAccountName: sa1
containers:
- name: nginx-container
image: nginx
# Enter container to test with curl, got 403
$ kubectl exec -it nginx-sa-longtime -- bash
root@nginx-sa-longtime:/# TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
root@nginx-sa-longtime:/# CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
root@nginx-sa-longtime:/# curl --cacert $CACERT --header "Authorization: Bearer $TOKEN" https://kubernetes.default.svc.cluster.local/api/v1/namespaces/defaut/pods
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "pods is forbidden: User \"system:serviceaccount:default:sa1\" cannot list resource \"pods\" in API group \"\" in the namespace \"defaut\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
1
evill 356 天前 1
namespace 的名字错误 defaut -> default
"message": "pods is forbidden: User \"system:serviceaccount:default:sa1\" cannot list resource \"pods\" in API group \"\" in the namespace \"defaut\"", <-------- |
2
dllall 356 天前 1
defaut?
|