1

我正在尝试在一个 k8s pod 中调用 k8s api。但是遇到以下权限问题:

User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope.

在我的 yaml 文件中,我已经指定了Role& RoleBinding。我在这里想念什么?

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: flink
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: zeppelin-server-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "deployments", "nodes"]
  verbs: ["create", "get", "update", "patch", "list", "delete", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["bind", "create", "get", "update", "patch", "list", "delete", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: zeppelin-server-role-binding
  namespace: default
subjects:
- kind: ServiceAccount
  name: flink
roleRef:
  kind: ClusterRole
  name: zeppelin-server-role
  apiGroup: rbac.authorization.k8s.io
4

1 回答 1

1

您正在 Kubernetes 上部署 zeppelin-server,对吗?我认为您的带有服务帐户的 yaml 文件看起来不错,但是为了确保它有效,您应该按照以下步骤操作:

  • kubectl get clusterrole

你应该得到zeppelin-server-role角色。

  • 检查您的帐户“ flink ”是否绑定到 clusterrole“zeppelin-server-role”

kubectl get clusterrole clusterrolebinding

如果没有,您可以通过以下命令创建它:

kubectl create clusterrolebinding zeppelin-server-role-binding --clusterrole=zeppelin-server-role --serviceaccount=default:flink

  • 最后,检查你是否真的充当这个帐户:

kubectl get deploy flink-deploy -o yaml

如果您无法从输出中看到设置“serviceAccount”和“serviceAccountName”,例如:

...
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
...

然后添加您希望 flink 使用的此帐户:

kubectl patch deploy flink-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'

于 2021-10-12T13:12:31.960 回答