【发布时间】:2018-01-27 18:46:00
【问题描述】:
那么有没有人知道我需要在我的 ServiceAccount yaml 中添加什么,以便在我尝试通过 REST API 列出内容时不会被拒绝访问我的 ServiceAccount: curl https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/persistentvolumeclaims -X GET -k -H "授权:承载 $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" 用户“system:serviceaccount:default:my-service-service-account”无法在命名空间“default”中列出 persistentvolumeclaims。
我的 RBAC serviceAccount 在 YAML 中设置如下:
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.service.name }}-service-account
labels:
app: {{ .Values.service.name }}
automountServiceAccountToken: true
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: {{ .Values.service.name }}-role
labels:
app: {{ .Values.service.name }}
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list","delete"]
- apiGroups: [""] # "" indicates the core API group
resources: ["persistentvolumeclaims"]
verbs: ["get", "watch", "list","delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ .Values.service.name }}-role-binding
labels:
app: {{ .Values.service.name }}
subjects:
- kind: ServiceAccount
# Reference to upper's `metadata.name`
name: {{ .Values.service.name }}-service-account
# Reference to upper's `metadata.namespace`
namespace: default
roleRef:
kind: Role
name: {{ .Values.service.name }}-role
apiGroup: rbac.authorization.k8s.io
【问题讨论】:
-
请通过tour 了解如何提出一个好问题。然后回来编辑你的问题。
标签: kubernetes yaml kubernetes-security