![](/img/trans.png)
[英]How to update or create resource group tags using API in PowerShell?
[英]cannot create resource "namespaces" in API group ""
這是我的ClusterRoleBinding
和ClusterRole
定義
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-namespaces
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: bootstrap
subjects:
- kind: ServiceAccount
name: executors
namespace: bootstrap
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: bootstrap
rules:
- apiGroups:
- '*'
resources:
- namespaces
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
服務帳號
[node1 ~]$ kubectl get sa executors -n bootstrap -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2022-08-30T19:51:17Z"
name: executors
namespace: bootstrap
resourceVersion: "2209"
uid: 488f5a2d-c44d-4db1-8d18-11a4f0206952
secrets:
- name: executors-token-2b2wl
測試配置
[node1 ~]$ kubectl create namespace test --as=executors
Error from server (Forbidden): namespaces is forbidden: User "executors" cannot create resource "namespaces" in API group "" at the cluster scope
[no
[node1 ~]$ kubectl auth can-i create namespace --as=executors
Warning: resource 'namespaces' is not namespace scoped
no
為什么我收到上述錯誤我確實按照 k8's doc of ClusterRoleBinding here
試試這個,讓我知道它是怎么回事。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-namespaces
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: bootstrap
subjects:
- kind: ServiceAccount
name: executors
namespace: bootstrap
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: bootstrap
rules:
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
我看到在我的集群 ClusterRole system:controller:namespace-controller
的 apiGroups 為''
而不是原始 ClusterRole 中的'*'
。
您沒有正確創建集群角色,請使用以下內容:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: bootstrap
rules:
- apiGroups: [""]
resources:
- namespaces
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
要么使用
apiGroups: [""]
或者
- apiGroups:
- ''
有關詳細信息,請參閱文檔: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.