我有一个Azure Kubernetes集群,设置身份验证和授权设置为“Azure AD Authentication with Kubernetes Rbac”。我希望能够同时使用AAD进行身份验证,而且还可以使用集群中的常规服务帐户。
虽然它似乎在我的命名空间内工作,但看起来好像我不能授予服务帐户访问集群范围的资源:
apiVersion: v1
kind: ServiceAccount
metadata:
name: dummy-admin
---
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to
# read secrets in any namespace.
kind: RoleBinding
metadata:
name: exmple-binding
subjects:
- kind: User
name: dummy-admin # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: example-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: example-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: v1
kind: Pod
metadata:
name: kubectl
spec:
serviceAccountName: dummy-admin
containers:
- name: kubectl
image: bitnami/kubectl
# Just spin & wait forever
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]字符串
应用此配置,运行kubectl exec -ti pod/kubectl -- /bin/bash并尝试列出节点,给予我这个错误:
I have no name!@kubectl:/$ kubectl get all
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "pods" in API group "" in the namespace "jaiv"
Error from server (Forbidden): replicationcontrollers is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "replicationcontrollers" in API group "" in the namespace "jaiv"
Error from server (Forbidden): services is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "services" in API group "" in the namespace "jaiv"
Error from server (Forbidden): daemonsets.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "daemonsets" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): deployments.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "deployments" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): replicasets.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "replicasets" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): statefulsets.apps is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "statefulsets" in API group "apps" in the namespace "jaiv"
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "jaiv"
Error from server (Forbidden): cronjobs.batch is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "cronjobs" in API group "batch" in the namespace "jaiv"
Error from server (Forbidden): jobs.batch is forbidden: User "system:serviceaccount:jaiv:dummy-admin" cannot list resource "jobs" in API group "batch" in the namespace "jaiv"型
在这种情况下,我看到我是正确的身份,并希望被允许在我的命名空间中列出资源。
2条答案
按热度按时间hc2pp10m1#
在代码中,使用
role和rolebindings,而不是clusterroles和clusterrolebdingins。这是不同的资源类型。您正在
default命名空间中创建服务帐户,并尝试在jaiv命名空间上执行某些操作。尝试使用ClusterRole和ClusterRoleBinding。它也适用于命名空间资源,但适用于群集范围。(创建方式相同,只是名称不同)更多详情请点击此处:https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
axr492tv2#
我终于发现了我的错误。
在进行角色绑定时,有三种不同的主体类型:用户、组和服务帐户。我使用User作为主题类型,而是需要将角色绑定定义为:
字符串