GKE RBAC角色/角色绑定到集群中的访问节点状态
[英]GKE RBAC role / rolebinding to access node status in the cluster
问题描述
I can't get a rolebinding right in order to get node status from an app which runs in a pod on GKE. 
我无法获得正确的角色绑定,才能从在GKE上的Pod中运行的应用程序获取节点状态。
I am able to create a pod from there but not get node status. 我能够从那里创建一个Pod,但无法获取节点状态。 He is the role I am creating: 他是我正在创建的角色:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["nodes"]
verbs: ["get", "watch", "list"]
This is the error I get when I do a getNodeStatus: 这是我执行getNodeStatus时遇到的错误:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "nodes \"gke-cluster-1-default-pool-36c26e1e-2lkn\" is forbidden: User \"system:serviceaccount:default:sa-poc\" cannot get nodes/status at the cluster scope: Unknown user \"system:serviceaccount:default:sa-poc\"",
"reason": "Forbidden",
"details": {
"name": "gke-cluster-1-default-pool-36c26e1e-2lkn",
"kind": "nodes"
},
"code": 403
}
I tried with some minor variations but did not succeed. 我尝试了一些细微的变化,但没有成功。
Kubernetes version on GKE is 1.8.4-gke.1 GKE上的Kubernetes版本是1.8.4-gke.1
Any help appreciated, thanks! 任何帮助表示赞赏,谢谢!
1 个解决方案
解决方案1
2 已采纳 2018-01-03 16:41:27
子<resource>/<subresource>权限表示为<resource>/<subresource> ,因此在该角色中,您将指定resources: ["nodes","nodes/status"]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.