【发布时间】:2018-03-30 17:22:18
【问题描述】:
我正在尝试从 Go in Cluster 的应用程序更新部署,但它失败并出现授权错误。
GKE 主版本 1.9.4-gke.1
package main
import (
"fmt"
"github.com/pkg/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
)
func updateReplicas(namespace string, name string, replicas int32) error {
config, err := rest.InClusterConfig()
if err != nil {
return errors.Wrap(err, "failed rest.InClusterConfig")
}
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
return errors.Wrap(err, "failed kubernetes.NewForConfig")
}
deployment, err := clientset.AppsV1().Deployments(namespace).Get(name, metav1.GetOptions{})
if err != nil {
fmt.Printf("failed get Deployment %+v\n", err)
return errors.Wrap(err, "failed get deployment")
}
deployment.Spec.Replicas = &replicas
fmt.Printf("Deployment %v\n", deployment)
ug, err := clientset.AppsV1().Deployments(deployment.Namespace).Update(deployment)
if err != nil {
fmt.Printf("failed update Deployment %+v", err)
return errors.Wrap(err, "failed update Deployment")
}
fmt.Printf("done update deployment %v\n", ug)
return nil
}
结果信息
failed get Deployment deployments.apps "land-node" is forbidden: User "system:serviceaccount:default:default" cannot get deployments.apps in the namespace "default": Unknown user "system:serviceaccount:default:default"
我已经设置了如下权限,但是还不够吗?
部署编辑器.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: deployment-editor
rules:
- apiGroups: [""]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
editor-deployement.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: editor-deployment
namespace: default
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: deployment-editor
apiGroup: rbac.authorization.k8s.io
【问题讨论】:
标签: kubernetes google-kubernetes-engine