GKE traefik無法創建rbac權限
[英]GKE traefik fails to create rbac permissions
問題描述
我試圖在GKE (谷歌雲kubernetes引擎)上安裝traefik作為入口控制器,當我嘗試:
kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml
我有這個錯誤:
服務器出錯(禁止):創建“ https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml ”時出錯:clusterroles.rbac.authorization.k8s.io“traefik- “ingress-controller”是禁止的:嘗試授予額外的權限:[PolicyRule {APIGroups:[“”],Resources:[“services”],動詞:[“get”]} PolicyRule {APIGroups:[“”],資源: [“services”],動詞:[“list”]} PolicyRule {APIGroups:[“”],資源:[“services”],動詞:[“watch”]} PolicyRule {APIGroups:[“”],資源: [“endpoints”],動詞:[“get”]} PolicyRule {APIGroups:[“”],資源:[“endpoints”],動詞:[“list”]} PolicyRule {APIGroups:[“”],資源: [“endpoints”],動詞:[“watch”]} PolicyRule {APIGroups:[“”],資源:[“secrets”],動詞:[“get”]} PolicyRule {APIGroups:[“”],資源: [“secrets”],動詞:[“list”]} PolicyRule {APIGroups:[“”],資源:[“secrets”],動詞:[“watch”]} PolicyRule {APIGroups:[“extensions”],資源:[“ingresses”],動詞:[“get”]} PolicyRule {APIGroups:[“extensions”],資源:[“ingres ses“],動詞:[”list“]} PolicyRule {APIGroups:[”extensions“],資源:[”ingresses“],動詞:[”watch“]}] user=&{IzoPi4a@gmail.com [system :驗證]圖[user-assertion.cloud.google.com:[ADKE0IBz9kwSuZRZkfbLil8iC / ijcmJJmuys2DvDGxoxQ5yP6Pdq1IQs3JRwDmd / lWm2vGdMXGB4h1QKiwx + 3uV2ciTb / oQNtkthBvONnVp4fJGOSW1S + 8O8dqvoUNRLNeB5gADNn1TKEYoB + JvRkjrkTOxtIh7rPugLaP5Hp7thWft9xwZqF9U4fgYHnPjCdRgvMrDvGIK8z7ONljYuStpWdJDu7LrPpT0L]]} ownerrules = [{PolicyRule APIGroups:[ “authorization.k8s.io”],資源:[“selfsubjectaccessreviews”“selfsubjectrulesreviews”],動詞:[“create”]} PolicyRule {NonResourceURLs:[“/ api”“/ api / ”“/ apis”“/ apis / ”“/ healthz”“/ openapi”“ / openapi / “” / swagger- 2.0.0.pb-v1“”/ swagger.json“”/ swaggerapi“”/ swaggerapi / “”/ version“”/ version /“],動詞:[”get“]} ] ruleResolutionErrors = []
問題是這一部分,另一個是成功創建的:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
基於文檔( https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control )我嘗試執行此命令,但我仍然得到相同的錯誤
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=MY_EMAIL_THAT_I_LOGIN_INTO_GCP
有沒有人設法解決這個問題? 或者它只是不起作用?
我想在沒有loadBalancer的情況下制作一個kubernetes集群,以便在我的本地機器(minikube)上便宜,我沒有這樣的問題。
2 個解決方案
解決方案1
8 已采納 2018-09-01 16:05:05
所以對於那些試圖在GKE上安裝traefik的人來說,你會遇到這個錯誤信息,那就先這樣做吧https://stackoverflow.com/a/46316672/1747159
# Get password value
$ gcloud container clusters describe CUSTER_NAME --zone ZONE_NAME | grep password
# Pass username and password parameters
$ kubectl apply -f https://raw.githubusercontent.com/containous/traefik/master/examples/k8s/traefik-rbac.yaml --username=admin --password=PASSWORD
感謝Nicola Ben幫我搞清楚
解決方案2
2 2019-01-22 17:01:13
這里的主要問題是您當前的用戶沒有足夠的權限來執行此操作。 要創建必要的綁定:
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
感謝istio的想法。
GKE 上的 Pod 在 GCE 上創建磁盤的權限
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.