我正在尝试将现有的 GKE 集群(自动驾驶集群)添加到同一项目中的 Anthos。它更新了集线器成员资格,但是,gke-connect 代理 pod 失败并出现与 RBAC 相关的错误。
$ for ns in $(kubectl get ns -o jsonpath={.items..metadata.name} -l hub.gke.io/project); do
> echo "======= Logs $ns ======="
> kubectl logs -n $ns -l app=gke-connect-agent
> done
======= Logs gke-connect =======
2021/03/26 15:57:50.604149 gkeconnect_agent.go:39: GKE Connect Agent. Log timestamps in UTC.
2021/03/26 15:57:50.604380 gkeconnect_agent.go:40:
Built on: 2021-03-19 09:40:57 +0000 UTC
Built at: 363842994
Build Status: mint
Build Label: 20210319-01-00
2021/03/26 15:57:50.715289 gkeconnect_agent.go:50: error creating kubernetes
connect agent: unable to retrieve namespace "kube-system" to be used as
connectionID: namespaces "kube-system" is forbidden: User
"system:serviceaccount:gke-connect:connect-agent-sa" cannot get resource
"namespaces" in API group "" in the namespace "kube-system"
我检查了connect-agent-sa
服务帐户的角色绑定,该角色似乎具有必要get namespaces
的权限,但它失败了。
$ k get role gke-connect-agent-20210319-01-00 -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: "2021-03-26T16:35:12Z"
labels:
hub.gke.io/project: xxxxxxxxxxxxxxxxxxx
version: 20210319-01-00
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:labels:
.: {}
f:hub.gke.io/project: {}
f:version: {}
f:rules: {}
manager: GoogleCloudConsole
operation: Update
time: "2021-03-26T16:35:12Z"
name: gke-connect-agent-20210319-01-00
namespace: gke-connect
resourceVersion: "10595136"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/gke-connect/roles/gke-connect-agent-20210319-01-00
uid: xxxxxxxx
rules:
- apiGroups:
- ""
resources:
- secrets
- namespaces <-- namespaces!!!
- configmaps
verbs:
- get <-- get!!!
- watch
- list
- apiGroups:
- ""
resources:
- events
verbs:
- create
还有其他我不知道的限制和政策吗?auto-pilot cluster
是不是因为