错误:禁止名称空间:用户"system:serviceaccount:default:test“无法在API组中创建资源”命名空间“
我想使用Terraform脚本配置原生Kubernetes集群。我试过这个Terraform脚本:
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.13.1"
}
kubectl = {
source = "gavinbunney/kubectl"
version = "1.14.0"
}
helm = {
source = "hashicorp/helm"
version = "2.6.0"
}
}
}
provider "kubectl" {
# run kubectl cluster-info to get expoint and port
host = "https://192.168.1.139:6443/"
token = "eyJhbGciOiJSUzI1NiIsImt....."
insecure = "true"
}
provider "kubernetes" {
# run kubectl cluster-info to get expoint and port
host = "https://192.168.1.139:6443/"
token = "eyJhbGciOiJSUzI1NiIsImt....."
insecure = "true"
}
resource "kubernetes_namespace" "example" {
metadata {
annotations = {
name = "example-annotation"
}
labels = {
mylabel = "label-value"
}
name = "terraform-example-namespace"
}
}参考文献:https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs
我试图从本教程中创建一个用户:https://killercoda.com/kimwuestkamp/scenario/k8s1.24-serviceaccount-secret-changes
kubectl create sa cicd
kubectl get sa,secret
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: cicd
spec:
serviceAccount: cicd
containers:
- image: nginx
name: cicd
EOF
kubectl exec cicd -- cat /run/secrets/kubernetes.io/serviceaccount/token && echo
kubectl exec cicd cat /run/secrets/kubernetes.io/serviceaccount/token && echo
kubectl create token cicd
kubectl create token cicd --duration=999999h
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: cicd
annotations:
kubernetes.io/service-account.name: "cicd"
EOF
kubectl get sa,secret
kubectl describe secret cicd
kubectl describe sa cicd
kubectl get sa cicd -oyaml
kubectl get sa,secret当我运行Terraform脚本时,会得到错误:
kubernetes_namespace.example: Creating...
╷
│ Error: namespaces is forbidden: User "system:serviceaccount:default:cicd" cannot create resource "namespaces" in API group "" at the cluster scope
│
│ with kubernetes_namespace.example,
│ on main.tf line 36, in resource "kubernetes_namespace" "example":
│ 36: resource "kubernetes_namespace" "example" {你能告诉我缺少什么样的用户配置吗?
你能建议什么是正确的方式来实现这个脚本和提供舵机图表到本地库伯内特斯。
回答 2
Stack Overflow用户
发布于 2022-09-27 01:49:08
错误:禁止名称空间:用户"system:serviceaccount:default:cicd“无法在群集范围内创建API组中的资源”命名空间“
名称空间cicd中的服务帐户default缺乏权限。您可以首先分配cluster-admin权限以确保管道正常工作,然后根据用例逐步调整权限。在管道启动之前应用以下规范:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: <of your own>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: cicd
namespace: defaultStack Overflow用户
发布于 2022-09-27 06:26:34
您需要通过将ClusterRole和ClusterRoleBinding附加到ServiceAccount中来实现RBAC (角色回退访问控制)。SA只包含用于使用k8s api-服务器进行身份验证的令牌。授权是通过RBAC启用的,下面是一个示例:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: <cluster-role-name>
rules:
- apiGroups: [""]
resources: ["namespace"]
verbs: ["create"] # specify other verbs e.g get, list, delete, watch etc.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: <cluster-role-binding-name>
subjects:
- kind: ServiceAccount
name: <service-account-name>
namespace: default # specify other namespace
roleRef:
kind: ClusterRole
name: <cluster-role-name>
apiGroup: rbac.authorization.k8s.io看看官方的k8s 文档。
https://stackoverflow.com/questions/73766937
复制相似问题
腾讯云开发者
