stackoom
  简体   繁体   中英

cannot create resource "namespaces" in API group ""

 原文  2022-08-30 19:59:50       kubernetes/ openshift/ google-kubernetes-engine

Question

This is my ClusterRoleBinding and ClusterRole defination

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-namespaces
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: bootstrap
subjects:
- kind: ServiceAccount
  name: executors
  namespace: bootstrap
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bootstrap
rules:
- apiGroups:
  - '*'
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

The service account

[node1 ~]$ kubectl  get sa executors  -n bootstrap -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2022-08-30T19:51:17Z"
  name: executors
  namespace: bootstrap
  resourceVersion: "2209"
  uid: 488f5a2d-c44d-4db1-8d18-11a4f0206952
secrets:
- name: executors-token-2b2wl

The test Config

[node1 ~]$ kubectl create namespace test  --as=executors
Error from server (Forbidden): namespaces is forbidden: User "executors" cannot create resource "namespaces" in API group "" at the cluster scope
[no

[node1 ~]$ kubectl auth can-i create namespace --as=executors
Warning: resource 'namespaces' is not namespace scoped
no

Why I'm getting the above error I did follow the k8's doc of ClusterRoleBinding here

2 answers

solution1
 0  2022-08-30 20:44:37

Try this and let me know how it goes.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-namespaces
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: bootstrap
subjects:
- kind: ServiceAccount
  name: executors
  namespace: bootstrap
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bootstrap
rules:
- apiGroups:
  - ''
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

I see that in my cluster ClusterRole system:controller:namespace-controller have apiGroups of '' instead of '*' seen in your original ClusterRole.

solution2
 0  2022-08-30 21:00:14

You're not creating clusterrole correctly, please use the following:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: bootstrap
rules:
  - apiGroups: [""]
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete

Either use

apiGroups: [""]

OR

- apiGroups:
  - ''

Refer to documentation for more details: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to update or create resource group tags using API in PowerShell? Create an AWS Resource Group with Terraform User cannot get resource "services" in API group - Jenkins pipeline EKS deployment Create and Delete Resource Group in Azure using Bicep Is it possible to grant permission for create resource group to service principal if no subscriptions are available? Wrong resource Group when I create a Managed Certificate in Azure Terraform can't create resource in group already exist Existence of a resource within a resource group How to create API Gateway Resource Policy that references itself in the Python CDK? How to create resource group in Azure when you are working with multiple tenant IDs?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM