0

我添加了一个名为“hello”的新用户来使用 client-certificate-data 和 client-key-data 来创建集群。当我切换到它的上下文并按下命令时:

kubectl get ns development-hello

我得到:

Error from server (Forbidden): namespaces "development-hello" is forbidden: User "hello" cannot get resource "namespaces" in API group "" in the namespace "development-hello"

我没有此用户的集群角色绑定。

这是来自 kubectl 配置视图的快照

apiVersion: v1   
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://127.0.0.1:33445
  name: kind-kind
contexts:
- context:
    cluster: kind-kind
    user: hello
  name: hello-kind-kind
- context:
    cluster: kind-kind
    user: kind-kind
  name: kind-kind
current-context: hello-kind-kind
kind: Config
preferences: {}
users:
- name: hello
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
- name: kind-kind
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
4

1 回答 1

2

需要hello使用该admin帐户为用户创建一个 ClusterRole 和 RoleBinding。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ns-role
rules:
- apiGroups: [""]
  resources: ["namespace"]
  verbs: ["get", "watch", "list", "create", "delete"]    
---    
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ns-rolebinding
  namespace: development-hello
subjects:
- kind: User
  name: hello
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: ns-role
  apiGroup: rbac.authorization.k8s.io

可以使用以下命令检索具有管理员帐户的 kubeconfig 文件

docker exec -it <kind-control-plane-node-name>

sudo cat /etc/kubernetes/admin.conf
于 2020-12-29T13:46:54.550 回答