k8s 的服务账户绑定角色后仍然没有权限

2023-11-23 08:59:58 +08:00
 lasuar

就创建了一个简单的角色绑定了服务账户 sa1 ,然后在 pod 内测试访问,没权限; 以下是现场,有无老哥帮忙看一下

$ kubectl describe role pod-reader      
Name:         pod-reader
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods       []                 []              [get watch list]

# Focusing on [sa1]
$ kubectl describe rolebinding read-pods  
Name:         read-pods
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  pod-reader
Subjects:
  Kind            Name   Namespace
  ----            ----   ---------
  User            user2  
  User            user3  
  ServiceAccount  sa1   

$ cat pod_associate_serviceaccount.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: nginx-sa-longtime
  labels:
    app: nginx
spec:
  serviceAccountName: sa1
  containers:
    - name: nginx-container
      image: nginx

# Enter container to test with curl, got 403
$ kubectl exec -it nginx-sa-longtime -- bash   
root@nginx-sa-longtime:/# TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
root@nginx-sa-longtime:/# CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
root@nginx-sa-longtime:/# curl --cacert $CACERT --header "Authorization: Bearer $TOKEN" https://kubernetes.default.svc.cluster.local/api/v1/namespaces/defaut/pods
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "pods is forbidden: User \"system:serviceaccount:default:sa1\" cannot list resource \"pods\" in API group \"\" in the namespace \"defaut\"",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}
1093 次点击
所在节点    Kubernetes
3 条回复
evill
2023-11-23 09:13:38 +08:00
namespace 的名字错误 defaut -> default

"message": "pods is forbidden: User \"system:serviceaccount:default:sa1\" cannot list resource \"pods\" in API group \"\" in the namespace \"defaut\"", <--------
dllall
2023-11-23 09:13:44 +08:00
defaut?
lasuar
2023-11-23 09:27:05 +08:00
感谢 @evill @dllall

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/994373

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX