• 建议反馈

  • 把项目(namespace)分配给企业空间时会报rbac错误

操作:

  1. 登录kubesphere在"平台管理"入口进去
  2. 进到"项目"里,把项目分配给企业空间会报错下面两个错误,第一个比较多
  3. role.rbac.authorization.k8s.io “admin” not found
  4. RoleBinding.rbac.authorization.k8s.io “-admin” is invalid: subjects[0].name: Required value
  5. 所有的NS分配都会出现这两个错误
  6. 仅仅只是页面右上角会报错, 不影响使用, 但是看着很不舒服

kubesphere版本: v3.3.1

k8s版本: v1.24.4

尝试的排查思路

从报错来看, 怀疑是被分配的ns下没有role ?

假设被添加的namespace是demo, 分配后,去运行 kubectl get role -n demo , 是可以看到一个名为"admin" 的role.

看起来没毛病, 分配企业空间后, kubesphere会在这个namespace下创建一个role, 那页面怎么还报错 ?

第二个报错我看rolebinding也创建在那里,没啥问题把我整不会了

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

annotations:

iam.kubesphere.io/aggregation-roles: '["role-template-view-members","role-template-manage-members",

  "role-template-view-roles","role-template-manage-roles", "role-template-view-app-workloads","role-template-manage-app-workloads",

  "role-template-view-volumes","role-template-manage-volumes", "role-template-view-snapshots","role-template-manage-snapshots",

  "role-template-view-secrets","role-template-manage-secrets", "role-template-view-serviceaccount","role-template-manage-serviceaccount",

  "role-template-view-configmaps","role-template-manage-configmaps", "role-template-view-alerting-policies","role-template-manage-alerting-policies",

  "role-template-view-alerting-messages","role-template-manage-alerting-messages",

  "role-template-view-custom-monitoring","role-template-manage-custom-monitoring",

  "role-template-view-pipelines","role-template-manage-pipelines", "role-template-view-pipelineruns","role-template-manage-pipelineruns",

  "role-template-view-credentials","role-template-manage-credentials", "role-template-view-gitrepositories","role-template-manage-gitrepositories",

  "role-template-view-gitops-applications","role-template-manage-gitops-applications",

  "role-template-manage-project-settings","role-template-manage-devops-settings"]'

kubesphere.io/creator: system

creationTimestamp: “2023-06-07T07:02:29Z”

name: admin

namespace: 266-ai

resourceVersion: “432055713”

uid: 53feb9ab-aadd-4bfc-99b4-85af0d01073b

rules:

- apiGroups:

  • ‘*’

    resources:

  • ‘*’

    verbs:

  • ‘*’

ks-apiserver日志:

2023-06-07T16:35:07.951265905+08:00 I0607 16:35:07.951064 1 apiserver.go:637] 10.233.12.32, 192.168.203.55 - “POST /kapis/iam.kubesphere.io/v1alpha2/namespaces/266-mahjong-lndandongmj/members HTTP/1.1” 422 92 2ms

2023-06-07T16:35:26.442287098+08:00 E0607 16:35:26.442045 1 am.go:985] role.rbac.authorization.k8s.io “admin” not found

2023-06-07T16:35:26.442327660+08:00 E0607 16:35:26.442072 1 am.go:714] role.rbac.authorization.k8s.io “admin” not found

2023-06-07T16:35:26.442343414+08:00 E0607 16:35:26.442089 1 utils.go:76] /workspace/pkg/kapis/iam/v1alpha2/handler.go:938 role.rbac.authorization.k8s.io “admin” not found

3 个月 后

遇到同样的问题,请问老哥儿解决了吗?

8 个月 后

这里的两个错误触发的可能原因,1. Unprocessable Entity RoleBinding.rbac.authorization.k8s.io “-admin” is invalid: subjects[0].name: Required value,分配项目到企业空间时“项目管理员” 那一项没填。2. Not Found role.rbac.authorization.k8s.io “admin” not found,ks的组件ks-controller-manager 故障。

商业产品与合作咨询