![](/img/trans.png)
[英]Unable to Deploy Kubernetes Federation on Google Kubernetes Engine
[英]How to deploy ClusterRoleBinding in Google Kubernetes Engine for KubeIP
我在嘗試將KubeIP部署到GKE時看到RBAC失敗。
我已將問題分離到KubeIP基礎結構的以下部分:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubeip-sa
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch","patch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","list","watch"]
我從kubectl
和GKE收到以下錯誤:
服務器出錯(禁止):創建“template.yml”時出錯:clusterroles.rbac.authorization.k8s.io“kubeip-sa”被禁止:嘗試授予額外權限:[{[get] [] [nodes] [ ] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []} {[patch] [] [nodes] [] []} {[get] [] [pods] [] []} {[list] [] [pods] [] []} {[watch] [] [pods] [] []}] user =&{108986779198363313539 [system:authenticated] map [user-assertion.cloud.google.com:[AKUJVpldMDXqrDZ2slnJReDbLytxt6P2EEyEBbLNRB90oOATH4vIURo/lIhaBuAj9nnwwyxJDSxj2OdCyjjgBC/s5QxftIJnr8128ToTglCzk+e8Wybt4heIizRHugWnIhKNqkF+B0yiv0pIxgOfakma+SbkzbQbVzJPtgxsmHmak30YfPA58n/xyJ8R7oNVJ5dFUAWDFNsqHf/auolViw0Zd7Cr4aYYDXX4GScw==]]} ownerrules = [{[創建] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/ api / api / * / apis / apis / * / healthz / openapi / openapi / * /swagger-2.0.0.pb-v1 /swagger.json / swaggerapi / swaggerapi / * / version / version /]}] ruleResolutionErrors = []
我通過發布創建了適當的〜/ .kube / config
gcloud container clusters get-credentials <cluster> \
--zone <zone> \
--project <project>
我正在使用的gcloud服務帳戶已在相關的GKE集群中被授予cluster-admin
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user $(gcloud config get-value account)
我可以驗證我的服務帳戶用戶是否應該使用cluster-admin角色檢查我當前的gcloud用戶並檢查GKE ClusterRoleBinding
$ gcloud config get-value account
terraform@<project>.iam.gserviceaccount.com
$ kubectl describe clusterrolebinding cluster-admin-binding
Name: cluster-admin-binding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
User terraform@<project>.iam.gserviceaccount.com
根據kubectl我應該能夠創建ClusterRoleBindings
$ kubectl auth can-i create clusterrolebinding
yes
有人看到我錯過了GKE RBAC的哪些元素?
這個問題的答案“ 創建一個ClusterRole作為默認的計算服務帳戶失敗並帶有額外的權限錯誤 ”引導我找到解決方案。
如果將ClusterRoleBinding映射到服務帳戶ID而不是電子郵件,則一切都按預期工作。
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user $(gcloud iam service-accounts describe <service account email> --format="value(uniqueId)")
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.