pods 被禁止:用户 "system:serviceaccount:kubernetes-dashboard:admin-user" 无法在命名空间 "default" 的 API 组“”中列出资源 "pods"
pods is forbidden: User "system:serviceaccount:kubernetes-dashboard:admin-user" cannot list resource "pods" in API group "" in the namespace "default"
我正在尝试按照 this article.
在 Ubuntu 18.04 上设置 Kubernetes
一切正常,但是当我尝试访问本地 Kubernetes 仪表板时,它显示为空,并且没有任何东西像 pods、服务和部署那样可见。
然而,当我 运行 $> kubectl get pods,svc,deployments 时,它显示以下 output.If 命令行显示了所有详细信息,为什么我看到空的 Kubernetes 仪表板?
我已经运行遵循命令
$> kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
$> kubectl proxy
我是否遗漏了任何配置?有解决此问题的建议吗?
$> kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kubernetes-dashboard dashboard-metrics-scraper-76585494d8-4rrdp 1/1 Running 3 46h
kubernetes-dashboard kubernetes-dashboard-5996555fd8-sxgxf 1/1 Running 16 46h
查看通知部分后,发现了这些错误
events is forbidden: User
"system:serviceaccount:kubernetes-dashboard:admin-user" cannot list
resource "events" in API group "" in the namespace "default"
pods is forbidden: User
"system:serviceaccount:kubernetes-dashboard:admin-user" cannot list
resource "pods" in API group "" in the namespace "default"
更新 1:
在应用 RBAC kubectl apply -f filename.yml
后,它现在可以工作了
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
您可能需要将仪表板服务帐户绑定到集群管理员角色:
kubectl create clusterrolebinding dashboard-admin-sa
--clusterrole=cluster-admin --serviceaccount=default:dashboard-admin-sa
否则,仪表板服务帐户无权访问将填充仪表板的数据。
我根据我在 v2.1.0 和 K8s v1.20 上的经验来回答这个问题。
安装 kubernetes-dashboard 后,它会创建一个服务帐户和两个名为“kubernetes-dashboard”的角色,并将这些角色与仪表板命名空间绑定,另一个与集群范围的角色(但不是集群管理员)绑定。因此,不幸的是,权限不足以管理整个集群,如下所示:
安装日志:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
查看您看到的权限:
$ kubectl describe clusterrole kubernetes-dashboard
Name: kubernetes-dashboard
Labels: k8s-app=kubernetes-dashboard
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
nodes.metrics.k8s.io [] [] [get list watch]
pods.metrics.k8s.io [] [] [get list watch]
$ kubectl describe role kubernetes-dashboard -n kubernetes-dashboard
Name: kubernetes-dashboard
Labels: k8s-app=kubernetes-dashboard
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
secrets [] [kubernetes-dashboard-certs] [get update delete]
secrets [] [kubernetes-dashboard-csrf] [get update delete]
secrets [] [kubernetes-dashboard-key-holder] [get update delete]
configmaps [] [kubernetes-dashboard-settings] [get update]
services/proxy [] [dashboard-metrics-scraper] [get]
services/proxy [] [heapster] [get]
services/proxy [] [http:dashboard-metrics-scraper] [get]
services/proxy [] [http:heapster:] [get]
services/proxy [] [https:heapster:] [get]
services [] [dashboard-metrics-scraper] [proxy]
services [] [heapster] [proxy]
与其将 kubernetes-dashboard 服务帐户设为集群管理员,不如将该帐户用于数据收集,更好的方法是创建一个只有 Token 的新服务帐户,这样帐户就可以轻松访问被撤销而不是更改预创建帐户的权限。
要创建一个名为“dashboard-admin”的新服务帐户并以声明方式应用:
$ nano dashboard-svcacct.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kubernetes-dashboard
$ kubectl apply -f dashboard-svcacct.yaml
serviceaccount/dashboard-admin created
将该新服务帐户绑定到集群管理员角色:
$ nano dashboard-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
$ kubectl apply -f dashboard-binding.yaml
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
要从此服务帐户中提取可用于登录的令牌:
$ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep dashboard-admin | awk '{print }')
Name: dashboard-admin-token-4fxtt
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 9cd5bb80-7901-413b-9eac-7b72c353d4b9
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Ikp3ZERpQTFPOV<REDACTED>
现在可以使用以“eyJ”开头的整个令牌登录:
但是令牌登录的剪切和粘贴可能会让人很头疼,尤其是在默认超时的情况下。我更喜欢配置文件。对于此选项,将需要集群 CA 哈希。此配置文件的 cluster 部分与 ~/.kube/config 下的配置文件相同。这个配置文件不需要加载到 kubernetes master,只需要在工作站上使用浏览器访问仪表板。我将其命名为 dashboard-config 并使用 VS Code 创建它(任何编辑器,只需要确保您打开文本以确保哈希值中没有空格)。无需在用户下保留任何管理 CA 和私钥哈希:如果复制配置文件。
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <CLUSTER CA HASH HERE>
server: https://<IP ADDR OF CLUSTER>:6443
name: kubernetes #name of cluster
contexts:
- context:
cluster: kubernetes
user: dashboard-admin
name: dashboard-admin@kubernetes
current-context: dashboard-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-dashboard
user:
token: <TOKEN HASH from above command e.g. eyJ>
现在可以使用了。
我正在尝试按照 this article.
在 Ubuntu 18.04 上设置 Kubernetes一切正常,但是当我尝试访问本地 Kubernetes 仪表板时,它显示为空,并且没有任何东西像 pods、服务和部署那样可见。
然而,当我 运行 $> kubectl get pods,svc,deployments 时,它显示以下 output.If 命令行显示了所有详细信息,为什么我看到空的 Kubernetes 仪表板?
我已经运行遵循命令
$> kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
$> kubectl proxy
我是否遗漏了任何配置?有解决此问题的建议吗?
$> kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kubernetes-dashboard dashboard-metrics-scraper-76585494d8-4rrdp 1/1 Running 3 46h
kubernetes-dashboard kubernetes-dashboard-5996555fd8-sxgxf 1/1 Running 16 46h
查看通知部分后,发现了这些错误
events is forbidden: User "system:serviceaccount:kubernetes-dashboard:admin-user" cannot list resource "events" in API group "" in the namespace "default"
pods is forbidden: User "system:serviceaccount:kubernetes-dashboard:admin-user" cannot list resource "pods" in API group "" in the namespace "default"
更新 1:
在应用 RBAC kubectl apply -f filename.yml
后,它现在可以工作了apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
您可能需要将仪表板服务帐户绑定到集群管理员角色:
kubectl create clusterrolebinding dashboard-admin-sa
--clusterrole=cluster-admin --serviceaccount=default:dashboard-admin-sa
否则,仪表板服务帐户无权访问将填充仪表板的数据。
我根据我在 v2.1.0 和 K8s v1.20 上的经验来回答这个问题。 安装 kubernetes-dashboard 后,它会创建一个服务帐户和两个名为“kubernetes-dashboard”的角色,并将这些角色与仪表板命名空间绑定,另一个与集群范围的角色(但不是集群管理员)绑定。因此,不幸的是,权限不足以管理整个集群,如下所示:
安装日志:
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.1.0/aio/deploy/recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
查看您看到的权限:
$ kubectl describe clusterrole kubernetes-dashboard
Name: kubernetes-dashboard
Labels: k8s-app=kubernetes-dashboard
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
nodes.metrics.k8s.io [] [] [get list watch]
pods.metrics.k8s.io [] [] [get list watch]
$ kubectl describe role kubernetes-dashboard -n kubernetes-dashboard
Name: kubernetes-dashboard
Labels: k8s-app=kubernetes-dashboard
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
secrets [] [kubernetes-dashboard-certs] [get update delete]
secrets [] [kubernetes-dashboard-csrf] [get update delete]
secrets [] [kubernetes-dashboard-key-holder] [get update delete]
configmaps [] [kubernetes-dashboard-settings] [get update]
services/proxy [] [dashboard-metrics-scraper] [get]
services/proxy [] [heapster] [get]
services/proxy [] [http:dashboard-metrics-scraper] [get]
services/proxy [] [http:heapster:] [get]
services/proxy [] [https:heapster:] [get]
services [] [dashboard-metrics-scraper] [proxy]
services [] [heapster] [proxy]
与其将 kubernetes-dashboard 服务帐户设为集群管理员,不如将该帐户用于数据收集,更好的方法是创建一个只有 Token 的新服务帐户,这样帐户就可以轻松访问被撤销而不是更改预创建帐户的权限。
要创建一个名为“dashboard-admin”的新服务帐户并以声明方式应用:
$ nano dashboard-svcacct.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kubernetes-dashboard
$ kubectl apply -f dashboard-svcacct.yaml
serviceaccount/dashboard-admin created
将该新服务帐户绑定到集群管理员角色:
$ nano dashboard-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
$ kubectl apply -f dashboard-binding.yaml
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
要从此服务帐户中提取可用于登录的令牌:
$ kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep dashboard-admin | awk '{print }')
Name: dashboard-admin-token-4fxtt
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 9cd5bb80-7901-413b-9eac-7b72c353d4b9
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Ikp3ZERpQTFPOV<REDACTED>
现在可以使用以“eyJ”开头的整个令牌登录:
但是令牌登录的剪切和粘贴可能会让人很头疼,尤其是在默认超时的情况下。我更喜欢配置文件。对于此选项,将需要集群 CA 哈希。此配置文件的 cluster 部分与 ~/.kube/config 下的配置文件相同。这个配置文件不需要加载到 kubernetes master,只需要在工作站上使用浏览器访问仪表板。我将其命名为 dashboard-config 并使用 VS Code 创建它(任何编辑器,只需要确保您打开文本以确保哈希值中没有空格)。无需在用户下保留任何管理 CA 和私钥哈希:如果复制配置文件。
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <CLUSTER CA HASH HERE>
server: https://<IP ADDR OF CLUSTER>:6443
name: kubernetes #name of cluster
contexts:
- context:
cluster: kubernetes
user: dashboard-admin
name: dashboard-admin@kubernetes
current-context: dashboard-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-dashboard
user:
token: <TOKEN HASH from above command e.g. eyJ>
现在可以使用了。