我正在尝试从容器内部执行 K8S kubectl cmds(名称:autodeploy)。我已经配置了 ClusterRole、ServiceAccount 和 ClusterRoleBinding。但是在 K8S 部署上执行描述和缩放操作时出现 Forbidden 错误。
服务器错误(禁止): deployments.apps“test-deployment”被禁止:用户“system:node:ip-xx-xx-xx-xx.ec2.internal”无法在 API 组“apps”中获取资源“deployments”在命名空间“abc”中
自动部署容器也在同一个命名空间 abc 中
集群角色:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: autodeploy
rules:
- apiGroups: ["*"]
resources: ["deployments", "deployments/scale", "pods"]
verbs: ["get", "list", "update"]
服务帐户:
apiVersion: v1
kind: ServiceAccount
metadata:
name: autodeploy
namespace: abc
集群角色绑定:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: autodeploy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: autodeploy
subjects:
- kind: ServiceAccount
name: autodeploy
namespace: abc