使用 kubernetes 服务帐户连接到外部 hashicorp 保险库时登录未经授权的错误
login unauthorized error whle connecting to external hashicorp vault with kubernetes service account
场景:
我有两个 Kubernetes 1.17 集群,其中一个集群配置了 HashiCorp 保管库。我正在尝试使用 kubernetes auth 方法从其他集群连接到它,我收到如下 403 错误:
2020-08-11T14:22:46.971Z [ERROR] auth.kubernetes.auth_kubernetes_f530e086: login unauthorized due to: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:default:vault-auth" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "system:auth-delegator" not found","reason":"Forbidden","details":{"group":"authentication.k8s.io","kind":"tokenreviews"},"code":403}
集群角色绑定:
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: default
有人请帮帮我吗?我错过了什么?
集群角色 system:auth-delegator 不存在导致此错误。
检查它是否存在使用下面的命令
kubectl get clusterrole | grep system:auth-delegator
如果不存在,请使用以下 yaml 创建一个
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:auth-delegator
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
场景:
我有两个 Kubernetes 1.17 集群,其中一个集群配置了 HashiCorp 保管库。我正在尝试使用 kubernetes auth 方法从其他集群连接到它,我收到如下 403 错误:
2020-08-11T14:22:46.971Z [ERROR] auth.kubernetes.auth_kubernetes_f530e086: login unauthorized due to: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"tokenreviews.authentication.k8s.io is forbidden: User "system:serviceaccount:default:vault-auth" cannot create resource "tokenreviews" in API group "authentication.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "system:auth-delegator" not found","reason":"Forbidden","details":{"group":"authentication.k8s.io","kind":"tokenreviews"},"code":403}
集群角色绑定:
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: default
有人请帮帮我吗?我错过了什么?
集群角色 system:auth-delegator 不存在导致此错误。
检查它是否存在使用下面的命令
kubectl get clusterrole | grep system:auth-delegator
如果不存在,请使用以下 yaml 创建一个
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:auth-delegator
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create