• Wwang88

    • 发布 #1
    • 已编辑

    + envsubst

    + kubectl apply -f -

    Error from server (Forbidden): error when retrieving current configuration of:

    Resource: “apps/v1, Resource=deployments”, GroupVersionKind: “apps/v1, Kind=Deployment”

    Name: “ttc-dev-v1”, Namespace: “ttc”

    from server for: “STDIN”: deployments.apps “ttc-dev-v1” is forbidden: User “system:serviceaccount:kubesphere-devops-worker:default” cannot get resource “deployments” in API group “apps” in the namespace “ttc”

    kubesphere 3.x 执行下面脚本可以,4.x执行不行,不知道怎么配置,有大佬给指点一下吗,相关资料也没找到,不知道怎么配置权限

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
    name: kubesphere-devops-worker-installer-binding
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: ks-installer
    subjects:
    - kind: ServiceAccount
    name: default
    namespace: kubesphere-devops-worker

      wang88

      4.x 没有 ks-installer 这个 ClusterRole 了,你按需创建一个进行替换吧,也可以用已经存在的 ClusterRole

          jialinz 按照1楼说的,创建一个 clusterrolebinding,将 default sa 绑定到特定的clusterrole. 比如, cluster-admin, 那么这个sa 就会有集群管理员的权限。

            • Wwang88

              • 发布 #5
              • 已编辑

              jialinz

              1. 检查现有权限

              首先,检查当前服务账户的权限,确认是否缺少必要的权限

              kubectl auth can-i get deployments --as=system:serviceaccount:kubesphere-devops-worker:default -n paas

              如果返回 no,说明权限不足。

              2. 创建或更新 Role 和 RoleBinding

              您需要为服务账户创建或更新一个 Role(角色),并将其绑定到服务账户。以下是一个示例 Role 和 RoleBinding 的配置

              创建 Role

              创建一个 Role,授予对 deployments 的访问权限:

              vi deployment-reader.yaml
              apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: paas
  name: deployment-reader
rules:
- apiGroups: ["apps"]
  resources: 
    - '*'
  verbs: 
    - '*'
              kubectl apply -f deployment-reader.yaml

              创建 RoleBinding

              将 Role 绑定到服务账户:

              vi deployment-reader-binding.yaml
              apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: deployment-reader-binding
  namespace: paas
subjects:
- kind: ServiceAccount
  name: default
  namespace: kubesphere-devops-worker
roleRef:
  kind: Role
  name: deployment-reader
  apiGroup: rbac.authorization.k8s.io  
              kubectl apply -f deployment-reader-binding.yaml

              3. 验证权限

              再次检查权限是否生效:

              kubectl auth can-i get deployments --as=system:serviceaccount:kubesphere-devops-worker:default -n paas

                我按照你的操作还是不行 报错如下 + kubectl apply -f -
                Error from server (Forbidden): error when retrieving current configuration of:
                Resource: “apps/v1, Resource=deployments”, GroupVersionKind: “apps/v1, Kind=Deployment”
                Name: “icc-pm”, Namespace: “icc-projects-online”
                from server for: “STDIN”: deployments.apps “icc-pm” is forbidden: User “system:serviceaccount:kubesphere-devops-worker:default” cannot get resource “deployments” in API group “apps” in the namespace “icc-projects-online”
                script returned exit code 1

                  jialinz icc-projects-online 我的命名空间是“paas”你按照我的脚本,改成你的命名空间

                    7 天 后

                    这个最终是怎么解决的。步骤什么样的

                    apiVersion: rbac.authorization.k8s.io/v1
                    kind: Role
                    metadata:
                    namespace: paas 这个修改为项目的工作空间
                    name: deployment-reader
                    rules:

                    • apiGroups: [“apps”]
                      resources:
                      • ‘*’
                        verbs:
                      • ‘*’

                        apiVersion: rbac.authorization.k8s.io/v1
                        kind: RoleBinding
                        metadata:
                        name: deployment-reader-binding
                        namespace: paas
                        subjects:
                    • kind: ServiceAccount
                      name: default
                      namespace: kubesphere-devops-worker
                      roleRef:
                      kind: Role
                      name: deployment-reader
                      apiGroup: rbac.authorization.k8s.io

                    如果说的我的名称空间是dev ,直接执行了 kubectl apply -f a.yaml 还是一样的错误

                    5 天 后

                    已解决,多谢大佬提示。
                    首先检查是否有权限
                    kubectl auth can-i get deployments –as=system:serviceaccount:kubesphere-devops-worker:default -n his
                    no

                    新建权限文件
                    vim dev-rbac.yaml

                    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: his #注意你的命名空间,要和你的项目一致
  name: deployment-reader
rules:
- apiGroups: ["apps"]
  resources: 
    - '*'
  verbs: 
    - '*'
- apiGroups: [""]
  resources: 
    - services
  verbs: 
    - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: deployment-reader-binding
  namespace: his #注意你的命名空间,要和你的项目一致
subjects:
- kind: ServiceAccount
  name: default
  namespace: kubesphere-devops-worker
roleRef:
  kind: Role
  name: deployment-reader
  apiGroup: rbac.authorization.k8s.io

                    kubectl apply -f dev-rbac.yaml
                    执行后再次检查权限
                    [root@k8s-master ~]# kubectl auth can-i get deployments –as=system:serviceaccount:kubesphere-devops-worker:default -n his
                    yes