我有一个Azure Kubernetes集群，设置身份验证和授权设置为“Azure AD Authentication with Kubernetes Rbac”。我希望能够同时使用AAD进行身份验证，而且还可以使用集群中的常规服务帐户。
虽然它似乎在我的命名空间内工作，但看起来好像我不能授予服务帐户访问集群范围的资源：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dummy-admin
---
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to
# read secrets in any namespace.
kind: RoleBinding
metadata:
  name: exmple-binding
subjects:
  - kind: User
    name: dummy-admin  # Name is case sensitive
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: example-role
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
---
apiVersion: v1
kind: Pod
metadata:
  name: kubectl
spec:
  serviceAccountName: dummy-admin
  containers:
  - name: kubectl
    image: bitnami/kubectl
   # Just spin & wait forever
    command: [ "/bin/bash", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]

字符串
应用此配置，运行kubectl exec -ti pod/kubectl -- /bin/bash并尝试列出节点，给予我这个错误：

I have no name!@kubectl:/$ kubectl get all
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "pods" in API group "" in the namespace "jaiv"
Error from server (Forbidden): replicationcontrollers is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "replicationcontrollers" in API group "" in the namespace "jaiv"
Error from server (Forbidden): services is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "services" in API group "" in the namespace "jaiv"
Error from server (Forbidden): daemonsets.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "daemonsets" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): deployments.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "deployments" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): replicasets.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "replicasets" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): statefulsets.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "statefulsets" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "jaiv"
Error from server (Forbidden): cronjobs.batch is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "cronjobs" in API group "batch" in the namespace "jaiv"
Error from server (Forbidden): jobs.batch is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "jobs" in API group "batch" in the namespace "jaiv"

型
在这种情况下，我看到我是正确的身份，并希望被允许在我的命名空间中列出资源。

2条答案

按热度按时间

hc2pp10m1#

在代码中，使用role和rolebindings，而不是clusterroles和clusterrolebdingins。这是不同的资源类型。
您正在default命名空间中创建服务帐户，并尝试在jaiv命名空间上执行某些操作。尝试使用ClusterRole和ClusterRoleBinding。它也适用于命名空间资源，但适用于群集范围。（创建方式相同，只是名称不同）
更多详情请点击此处：https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole

赞(0）回复(0）举报 2023-08-03

axr492tv2#

我终于发现了我的错误。
在进行角色绑定时，有三种不同的主体类型：用户、组和服务帐户。我使用User作为主题类型，而是需要将角色绑定定义为：

apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to
# read secrets in any namespace.
kind: RoleBinding
metadata:
  name: exmple-binding
subjects:
  - kind: ServiceAccount
    name: dummy-admin  # Name is case sensitive
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: example-role
  apiGroup: rbac.authorization.k8s.io

字符串

展开查看全部

Azure kubernetes clusterrolebindings不工作

2条答案

相关问题

热门标签

最新问答