从 pod Forbidden 中列出 pods
Listing pods from inside a pod Forbidden
我是 kubernetes 的新手。我试图通过 javascript 客户端从 pod/container 中列出命名空间中的所有 pods。
import k8s = require('@kubernetes/client-node');
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const k8sApi = kc.makeApiClient(k8s.Core_v1Api);
k8sApi.listNamespacedPod('development')
.then((res) => {
console.log(res.body);
}).catch((err) => {
console.log(err);
});
查看 pod 日志时的响应错误:
{ kind: 'Status',
apiVersion: 'v1',
metadata: {},
status: 'Failure',
message:
'pods is forbidden: User "system:serviceaccount:default:default" cannot list pods in the namespace "development"',
reason: 'Forbidden',
details: { kind: 'pods' },
code: 403 } }
我认为我需要创建一个新用户或为一个角色添加一些权限,但我不确定在哪里以及如何添加。谢谢
关于错误:
'pods is forbidden: User "system:serviceaccount:default:default" cannot list pods in the namespace "development"',
默认服务帐户令牌存储在 pod 中的位置:
root@nginx-64f497f8fd-jtvgf:/# ls /var/run/secrets/kubernetes.io/serviceaccount/
ca.crt namespace token
但默认服务帐户无法像您尝试访问的那样访问集群资源,因此您需要创建一个新的服务帐户、角色和角色绑定,然后用它启动 pod服务帐户,或将默认服务帐户绑定到具有所需权限的角色。
Kuberentes RBAC details
作为@Robert Panzer suggested in ,您可以创建一个角色和一个角色绑定来启用 pods 列表:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
我是 kubernetes 的新手。我试图通过 javascript 客户端从 pod/container 中列出命名空间中的所有 pods。
import k8s = require('@kubernetes/client-node');
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
const k8sApi = kc.makeApiClient(k8s.Core_v1Api);
k8sApi.listNamespacedPod('development')
.then((res) => {
console.log(res.body);
}).catch((err) => {
console.log(err);
});
查看 pod 日志时的响应错误:
{ kind: 'Status',
apiVersion: 'v1',
metadata: {},
status: 'Failure',
message:
'pods is forbidden: User "system:serviceaccount:default:default" cannot list pods in the namespace "development"',
reason: 'Forbidden',
details: { kind: 'pods' },
code: 403 } }
我认为我需要创建一个新用户或为一个角色添加一些权限,但我不确定在哪里以及如何添加。谢谢
关于错误:
'pods is forbidden: User "system:serviceaccount:default:default" cannot list pods in the namespace "development"',
默认服务帐户令牌存储在 pod 中的位置:
root@nginx-64f497f8fd-jtvgf:/# ls /var/run/secrets/kubernetes.io/serviceaccount/
ca.crt namespace token
但默认服务帐户无法像您尝试访问的那样访问集群资源,因此您需要创建一个新的服务帐户、角色和角色绑定,然后用它启动 pod服务帐户,或将默认服务帐户绑定到具有所需权限的角色。
Kuberentes RBAC details
作为@Robert Panzer suggested in
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io