bounty将在3天后到期。这个问题的答案有资格获得+50的声誉奖励。Abhishek Malik正在寻找来自可靠来源的答案。

我想通过cronjob从Pod中为特定用例运行状态集补丁。为此，我使用自定义服务帐户、角色和角色绑定创建了以下计划，以允许Pod访问带有补丁 predicate 的应用程序API组，但我一直遇到以下错误：

Error from server (Forbidden): statefulsets.apps "test-statefulset" is forbidden: User "system:serviceaccount:test-namespace:test-serviceaccount" cannot get resource "statefulsets" in API group "apps" in the namespace "test-namespace"

我的K8计划：

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    env: test
  name: test-serviceaccount
  namespace: test-namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    env: test
  name: test-role
  namespace: test-namespace
rules:
- apiGroups:
  - apps/v1
  resourceNames:
  - test-statefulset
  resources:
  - statefulsets
  verbs:
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
  name: test-binding
  namespace: test-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: test-role
subjects:
- kind: ServiceAccount
  name: test-serviceaccount
  namespace: test-namespace
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  labels:
  name:test-job
  namespace: test-namespace
spec:
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 3
  jobTemplate:
    metadata:
      labels:
        env: test
    spec:
      activeDeadlineSeconds: 900
      backoffLimit: 1
      parallelism: 1
      template:
        metadata:
          labels:
            env: test
        spec:
          containers:
          - args:
            - kubectl -n test-namespace patch statefulset test-statefulset -p '{"spec":{"replicas":0}}'
            - kubectl -n test-namespace patch statefulset test-statefulset -p '{"spec":{"replicas":1}}'
            command:
            - /bin/sh
            - -c
            image: bitnami/kubectl
          restartPolicy: Never
          serviceAccountName: test-serviceaccount
  schedule: '*/5 * * * *'
  startingDeadlineSeconds: 300
  successfulJobsHistoryLimit: 3
  suspend: false

到目前为止，调试：

1.我已经检查了示例和服务帐号关联是否正常，看起来是正常的。我看到cronjob启动的Pod上安装的Secret名称是正确的。
1.使用了更简单的角色，其中apiGroups为“”，即所有核心组，并尝试从该Pod中“获取Pod”，相同的错误

角色描述：

Name:         test-role
Labels:       env=test
Annotations:  <none>
PolicyRule:
  Resources             Non-Resource URLs  Resource Names   Verbs
  ---------             -----------------  --------------   -----
  statefulsets.apps/v1  []                 [test-statefulset]  [patch]

角色绑定描述：

Name:         test-binding
Labels:       env=test
Annotations:  <none>
Role:
  Kind:  Role
  Name:  test-role
Subjects:
  Kind            Name                Namespace
  ----            ----                ---------
  ServiceAccount  test-serviceaccount  test-namespace