【发布时间】:2020-12-26 11:58:51
【问题描述】:
我正在研究运算符并使用 operator-sdk 进行运算符开发。我正在为某些业务逻辑执行 pod exec,但它一直失败并出现以下错误:
Failed to cleanup testst StatefulSet StatefulSet.Name : devst{"Instance.Namespace": "default", "Instance.Name": "testst-sample", "error": "pods \"testst-0\" is forbidden: User \"system:serviceaccount:test-db:default\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\""}
以下是定义角色:
Name: manager-role
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"creationTimestamp":null,"name":"manager-ro...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
statefulsets.''/finalizers [] [] [create delete get list patch update watch]
configmaps [] [] [create delete get list patch update watch]
persistentvolumeclaims [] [] [create delete get list patch update watch]
secrets [] [] [create delete get list patch update watch]
services [] [] [create delete get list patch update watch]
statefulsets.apps [] [] [create delete get list patch update watch]
teststapps.example.com [] [] [create delete get list patch update watch]
teststapps.example.com/finalizers [] [] [create delete get patch update]
pods/exec [] [] [create get]
pods/log [] [] [get list watch]
pods [] [] [get list watch]
teststapps.example.com/status [] [] [get patch update]
角色绑定定义
kubectl describe clusterrolebinding.rbac.authorization.k8s.io/manager-rolebinding
Name: manager-rolebinding
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"manager-rolebinding"},"roleR...
Role:
Kind: ClusterRole
Name: manager-role
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount default system
请告知我做错了什么。
【问题讨论】: