[英]Kubernetes rbac pod/exec create operation is forbidden
I am working on the operator and using operator-sdk for operator development.我正在研究运算符并使用 operator-sdk 进行运算符开发。 I am doing pod exec for some business logic but it kept on failing with the following error:
我正在为一些业务逻辑执行 pod exec,但它一直失败并出现以下错误:
Failed to cleanup testst StatefulSet StatefulSet.Name : devst{"Instance.Namespace": "default", "Instance.Name": "testst-sample", "error": "pods \"testst-0\" is forbidden: User \"system:serviceaccount:test-db:default\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\""}
Following is the definition role:以下是定义角色:
Name: manager-role
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"creationTimestamp":null,"name":"manager-ro...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
statefulsets.''/finalizers [] [] [create delete get list patch update watch]
configmaps [] [] [create delete get list patch update watch]
persistentvolumeclaims [] [] [create delete get list patch update watch]
secrets [] [] [create delete get list patch update watch]
services [] [] [create delete get list patch update watch]
statefulsets.apps [] [] [create delete get list patch update watch]
teststapps.example.com [] [] [create delete get list patch update watch]
teststapps.example.com/finalizers [] [] [create delete get patch update]
pods/exec [] [] [create get]
pods/log [] [] [get list watch]
pods [] [] [get list watch]
teststapps.example.com/status [] [] [get patch update]
Role Binding Definition角色绑定定义
kubectl describe clusterrolebinding.rbac.authorization.k8s.io/manager-rolebinding
Name: manager-rolebinding
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"manager-rolebinding"},"roleR...
Role:
Kind: ClusterRole
Name: manager-role
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount default system
Please advise what wrong I am doing.请告知我做错了什么。
As per the RoleBinding you have associated the ClusterRole manager-role
to a ServiceAccount
default
in the system
namespace but from the error the ServiceAccount is default
in test-db
namespace.根据 RoleBinding,您已将 ClusterRole
manager-role
关联到system
命名空间中的ServiceAccount
default
,但由于错误,ServiceAccount 在test-db
命名空间中是default
。
If you change the namespace system
to test-db
in the RoleBinding it should work.如果您在 RoleBinding 中将命名空间
system
更改为test-db
,它应该可以工作。 Also make sure to create the RoleBinding in test-db
namespace instead of system
namespace.还要确保在
test-db
命名空间而不是system
命名空间中创建 RoleBinding。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.