Kubernetes：自定义资源的 RBAC 授权失败

Question

922:johndoe:db-operator:(master)λ kubectl version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.6", GitCommit:"6260bb08c46c31eea6cb538b34a9ceb3e406689c", GitTreeState:"clean", BuildDate:"2017-12-21T06:34:11Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.12-gke.14", GitCommit:"021f778af7f1bd160d8fba226510f7ef9c9742f7", GitTreeState:"clean", BuildDate:"2019-03-30T19:30:57Z", GoVersion:"go1.9.3b4", Compiler:"gc", Platform:"linux/amd64"}

I created a custom resource definition along with an operator to control that resource, but the operator gets a 'forbidden' error in runtime.

The custom resource definition yaml , the role.yaml and role_bidning.yaml are:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: db-operator
rules:
  - apiGroups: ['']
    resources: ['pods', 'configmaps']
    verbs: ['get']
  - apiGroups: ['']
    resources: ['configmaps']
    verbs: ['create']
  - apiGroups: ['']
    resources: ['secrets']
    verbs: ['*']
  - apiGroups: ['']
    resources: ['databaseservices.app.example.com', 'databaseservices', 'DatabaseServices']

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: db-operator
subjects:
  - kind: ServiceAccount
    name: db-operator
    namespace: default
roleRef:
  kind: Role
  name: db-operator
  apiGroup: rbac.authorization.k8s.io

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: databaseservices.app.example.com
spec:
  group: app.example.com
  names:
    kind: DatabaseService
    listKind: DatabaseServiceList
    plural: databaseservices
    singular: databaseservice
  scope: Namespaced
  subresources:
    status: {}
  validation:
    openAPIV3Schema:
      properties:
        apiVersion:
          description:
            'APIVersion defines the versioned schema of this representation
            of an object. Servers should convert recognized schemas to the latest
            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
          type: string
        kind:
          description:
            'Kind is a string value representing the REST resource this
            object represents. Servers may infer this from the endpoint the client
            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
          type: string
        metadata:
          type: object
        spec:
          type: object
        status:
          type: object
  version: v1alpha1
  versions:
    - name: v1alpha1
      served: true
      storage: true

• Notice that I'm trying to reference the custom resource by plural name, by name with group as well as by kind.

As visible in the Role definition, permissions for other resources seem to work.

However the operator always errors with:

E0425 09:02:04.687611       1 reflector.go:134] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: Failed to list *v1alpha1.DatabaseService: databaseservices.app.example.com is forbidden: User "system:serviceaccount:default:db-operator" cannot list databaseservices.app.example.com in the namespace "default"

Any idea what might be causing this?

Answer 1

Try this Role definition for your custom resource:

- apiGroups: ['app.example.com']
  resources: ['databaseservices']
  verbs: ['*']