用户“system:serviceaccount:default:flink”无法在集群范围内列出 API 组“”中的资源“节点”

Question

我正在尝试在一个 k8s pod 中调用 k8s api。但遇到以下权限问题：

User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope.

在我的 yaml 文件中，我已经指定了 Role 和 RoleBinding。我在这里想念什么？

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: flink
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: zeppelin-server-role
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "deployments", "nodes"]
  verbs: ["create", "get", "update", "patch", "list", "delete", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["bind", "create", "get", "update", "patch", "list", "delete", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: zeppelin-server-role-binding
  namespace: default
subjects:
- kind: ServiceAccount
  name: flink
roleRef:
  kind: ClusterRole
  name: zeppelin-server-role
  apiGroup: rbac.authorization.k8s.io

Answer 1

您正在 Kubernetes 上部署 zeppelin-server，对吧？我认为您的带有服务帐户的 yaml 文件看起来不错，但是为了确保它有效，您应该按照以下步骤操作：

• kubectl get clusterrole

你应该得到zeppelin-server-role角色。

• 检查您的帐户“flink”是否绑定到 clusterrole“zeppelin-server-role”

kubectl get clusterrole clusterrolebinding

如果没有，可以通过以下命令创建：

kubectl create clusterrolebinding zeppelin-server-role-binding --clusterrole=zeppelin-server-role --serviceaccount=default:flink

• 最后，看看你是不是真的是这个账号：

kubectl get deploy flink-deploy -o yaml

如果您无法从输出中看到设置“serviceAccount”和“serviceAccountName”，例如：

...
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
...

然后添加这个你想要 flink 使用的账号：

kubectl patch deploy flink-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'