这是一个创建于 691 天前的主题,其中的信息可能已经有所发展或是发生改变。
就创建了一个简单的角色绑定了服务账户 sa1 ,然后在 pod 内测试访问,没权限; 以下是现场,有无老哥帮忙看一下
$ kubectl describe role pod-reader Name: pod-reader Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get watch list] # Focusing on [sa1] $ kubectl describe rolebinding read-pods Name: read-pods Labels: <none> Annotations: <none> Role: Kind: Role Name: pod-reader Subjects: Kind Name Namespace ---- ---- --------- User user2 User user3 ServiceAccount sa1 $ cat pod_associate_serviceaccount.yaml apiVersion: v1 kind: Pod metadata: name: nginx-sa-longtime labels: app: nginx spec: serviceAccountName: sa1 containers: - name: nginx-container image: nginx # Enter container to test with curl, got 403 $ kubectl exec -it nginx-sa-longtime -- bash root@nginx-sa-longtime:/# TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) root@nginx-sa-longtime:/# CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt root@nginx-sa-longtime:/# curl --cacert $CACERT --header "Authorization: Bearer $TOKEN" https://kubernetes.default.svc.cluster.local/api/v1/namespaces/defaut/pods { "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "pods is forbidden: User \"system:serviceaccount:default:sa1\" cannot list resource \"pods\" in API group \"\" in the namespace \"defaut\"", "reason": "Forbidden", "details": { "kind": "pods" }, "code": 403 }  | 1 evill 2023-11-23 09:13:38 +08:00  1 namespace 的名字错误 defaut -> default "message": "pods is forbidden: User \"system:serviceaccount:default:sa1\" cannot list resource \"pods\" in API group \"\" in the namespace \"defaut\"", <-------- |
 | 2 dllall 2023-11-23 09:13:44 +08:00 1 defaut? |
Select Language