1

我在我的 kubernetes 集群上运行了一个守护进程,其目的是接受 gRPC 请求并将这些请求转换为用于在 k8s 集群中创建、删除和查看 pod 的命令。它在集群中作为服务运行,并通过 helm 部署。

helm chart 为守护进程“tass-daemon”创建一个服务帐户,并赋予它一个集群角色,该角色应该允许它操作特定命名空间“tass-arrays”中的 pod。

但是,我发现服务帐户似乎没有工作,我的守护程序在尝试联系 K8S API 服务器时报告权限错误:

2021/03/04 21:17:48 pods is forbidden: User "system:serviceaccount:default:tass-daemon" cannot list resource "pods" in API group "" in the namespace "tass-arrays"

如果我使用带有手动添加的集群角色的默认服务帐户,我确认该代码有效,但尝试通过掌舵图进行设置似乎不起作用。

但是,如果我将 tass-daemon clusterrole 与 admin (显然具有在所有命名空间中操作 pod 的权限)进行比较,它们似乎是相同的:

[maintainer@headnode helm]$ kubectl describe clusterrole admin  | grep -i pods
  pods                                            []                 []              [create delete deletecollection patch update get list watch]
  pods/attach                                     []                 []              [get list watch create delete deletecollection patch update]
  pods/exec                                       []                 []              [get list watch create delete deletecollection patch update]
  pods/portforward                                []                 []              [get list watch create delete deletecollection patch update]
  pods/proxy                                      []                 []              [get list watch create delete deletecollection patch update]
  pods/log                                        []                 []              [get list watch]
  pods/status                                     []                 []              [get list watch]

[maintainer@headnode helm]$ kubectl describe clusterrole tass-daemon  | grep -i pods
  pods/attach  []                 []              [create delete deletecollection patch update get list watch]
  pods         []                 []              [create delete deletecollection patch update get list watch]
  pods.apps    []                 []              [create delete deletecollection patch update get list watch]
  pods/status  []                 []              [get list watch]

基于此设置,我希望 tass-daemon 服务帐户具有适当的 pod 管理权限。

以下是我的掌舵图中的 clusterrole.yaml:

{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  labels:
    app: {{ template "tass-daemon.name" . }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  name: {{ template "tass-daemon.fullname" . }}
  namespace: "tass-arrays"
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create delete deletecollection patch update get list watch
- apiGroups:
  - ""
  resources:
  - pods/attach
  verbs:
  - create delete deletecollection patch update get list watch
- apiGroups:
  - ""
  resources:
  - pods/status
  verbs:
  - get list watch
- apiGroups:
  - apps

还有我的 clusterrolebinding.yaml:

{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  labels:
    app: {{ template "tass-daemon.name" .}}
    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  name: {{ template "tass-daemon.fullname" . }}
  namespace: "tass-arrays"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "tass-daemon.fullname" . }}
subjects:
- kind: ServiceAccount
  name: {{ template "tass-daemon.fullname" . }}
  namespace: {{ .Release.Namespace }}
{{- end -}}

如果我将 roleRef 名称更改为“admin”,它可以工作,但 admin 比我们想要的更宽松。

最后是我的 serviceaccount.yaml:

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: {{ template "tass-daemon.name" . }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  name: {{ template "tass-daemon.fullname" . }}

显然我做错了什么,那么配置 clusterrole 以便我的守护进程可以操作“tass-arrays”命名空间中的 pod 的正确方法是什么?

4

1 回答 1

1

正如我在评论部分提到的那样,有一个弃用的apiVersion rbac.authorization.k8s.io/v1beta1,而不是使用rbac.authorization.k8s.io/v1。APIv1是稳定的。如果可能,您应该使用稳定版本。

阅读更多:rbac-kubernetes

关于 的问题RBAC,您的ClusterRole以下规则部分的一部分应如下所示:

rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

请参阅:pod-rbac-forbidden

于 2021-04-08T08:05:07.890 回答