kubernetes RoleBinding和ClusterRoleBinding中不能有多个ServiceAccount主题？

uqxowvwt 于 2023-03-12 发布在 Kubernetes

关注(0)|答案(2)|浏览(115)

我遇到了一个奇怪的问题，不知道我是不是疯了。我有以下的角色绑定和集群角色绑定yaml：

# Standard CLI role, some executable dashboard permissions.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: company-engineer-binding
  namespace: company-ns
subjects:
- kind: ServiceAccount
  name: testseven
  apiGroup: ""
- kind: ServiceAccount
  name: testsix
  apiGroup: ""
roleRef:
  kind: Role
  name: company-engineer
  apiGroup: ""
---
# Used to handle a few read-only permissions on the dashboard (listing)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: company-engineer-dashboard-clusterbinding
subjects:
- kind: ServiceAccount
  name: testseven
  namespace: company-ns
- kind: ServiceAccount
  name: testsix
  namespace: company-ns
roleRef:
  kind: ClusterRole
  name: company-engineer-dashboard
  apiGroup: rbac.authorization.k8s.io

每一个都有一个关联的角色/集群角色，并且已经过验证。问题是，当使用kubectl apply -f应用这个yaml时，它只将角色应用到列表中的第一个主题。因此，在上面的示例中，只有testseven ServiceAccount获得这些角色，而testsix帐户什么也得不到。

[root@k8s-m01 yaml]# kubectl get rolebinding,clusterrolebinding,role,clusterrole --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="testseven")]}[{.roleRef.kind},{.roleRef.name}]{end}'

[Role,company-engineer][ClusterRole,company-engineer-dashboard]

[root@k8s-m01 yaml]# kubectl get rolebinding,clusterrolebinding,role,clusterrole --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="testsix")]}[{.roleRef.kind},{.roleRef.name}]{end}'

[No output returns]

有人能给我指出正确的方向吗？顺便说一句，我已经验证了使用从证书生成的用户不会发生同样的问题-它只会发生在服务帐户上。
谢谢！

kubernetes

来源：https://stackoverflow.com/questions/68411200/unable-to-have-multiple-serviceaccount-subjects-in-rolebinding-clusterrolebind

2条答案

按热度按时间

thigvfpy1#

已成功应用角色绑定和群集角色绑定
这更像是一个jsonpath查询问题，而不是应用rolebindgs。

kubectl get -f company-engineer-binding.yaml -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-07-16T16:46:10Z"
  name: company-engineer-binding
  namespace: company-ns
  resourceVersion: "1120710"
  uid: da5e3a51-55c5-4cf5-896f-d89e87ca1553
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: company-engineer
subjects:
- kind: ServiceAccount            #index 0
  name: testseven
- kind: ServiceAccount            #index 1 
  name: testsix

# following command is working(showing output) because you are looking for key named 'name' with value 'testseven' 'at' index '0' under array 'subjects' as you mentioned ?(@.subjects[0].name=="testseven")
kubectl get rolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="testseven")]}[{.roleRef.kind},{.roleRef.name}]{end}'
[Role,company-engineer]

#following command does not show any ouput because you looking for key named 'name' with value 'testseven' 'at' index '0' under array 'subjects' as you mentioned ?(@.subjects[0].name=="testsix") but we have 'testsix' at index '1' 
kubectl get rolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="testsix")]}[{.roleRef.kind},{.roleRef.name}]{end}' 

#so if i change the index to 1 , The command works fine and shows output .
#Also not that i had to run this command on a particular namespace because following command will throw json error because other namespaces might have a rolebinding where they have only one subject/service account means no index 1.
# error message would contain 'Error executing template: array index out of bounds:'
kubectl get rolebinding -n company-ns  -o jsonpath='{range .items[?(@.subjects[1].name=="testsix")]}[{.roleRef.kind},{.roleRef.name}]{end}'
[Role,company-engineer]

赞(0）回复(0）举报 2023-03-12

gojuced72#

只需创建另一个具有不同名称crb

赞(0）回复(0）举报 2023-03-12