我想允許命名空間中的 Kubernetes pod 在同一個命名空間my-namespace中訪問configmap/config。為此,我定義了以下role和rolebinding:
apiVersion: v1
kind: List
items:
- kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: config
namespace: my-namespace
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["config"]
verbs: ["get"]
- kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: config
namespace: my-namespace
subjects:
- kind: ServiceAccount
name: default
namespace: my-namespace
roleRef:
kind: Role
name: config
apiGroup: rbac.authorization.k8s.io
然而,吊艙仍然遇到以下錯誤:
configmaps \"config\" is forbidden: User \"system:serviceaccount:my-namespace:default\"
cannot get resource \"configmaps\" in API group \"\" in the namespace \"my-namespace\"
我錯過了什么?我想這一定是一件簡單的事情,第二雙眼睛可能會立即發現。
更新這是我的客戶端代碼的相關片段,它使用go-client:
cfg, err := rest.InClusterConfig()
if err != nil {
logger.Fatalf("cannot obtain Kubernetes config: %v", err)
}
k8sClient, err := k8s.NewForConfig(cfg)
if err != nil {
logger.Fatalf("cannot create Clientset")
}
configMapClient := k8sClient.CoreV1().ConfigMaps(Namespace)
configMap, err := configMapClient.Get(ctx, "config", metav1.GetOptions{})
if err != nil {
logger.Fatalf("cannot obtain configmap: %v", err) // error occurs here
}
uj5u.com熱心網友回復:
我看不出您的角色或角色系結有什么特別的問題,事實上,當我將它們部署到我的環境中時,它們似乎按預期作業。您沒有在您的問題中提供完整的復制器,所以這就是我正在測驗的方式:
我首先創建了一個命名空間
my-namespace我有以下內容
kustomization.yaml:apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: my-namespace commonLabels: app: rbactest resources: - rbac.yaml - deployment.yaml generatorOptions: disableNameSuffixHash: true configMapGenerator: - name: config literals: - foo=bar - this=that在
rbac.yaml我有您問題中的角色和角色系結(未經修改)。在
deployment.yaml我有:apiVersion: apps/v1 kind: Deployment metadata: name: cli spec: replicas: 1 template: spec: containers: - name: cli image: quay.io/openshift/origin-cli command: - sleep - inf
有了這個,我通過運行來部署所有內容:
kubectl apply -k .
然后,一旦 Pod 啟動并運行,這將起作用:
$ kubectl exec -n my-namespace deploy/cli -- kubectl get cm config
NAME DATA AGE
config 2 3m50s
嘗試訪問其他 ConfigMap 將無法正常作業,正如預期的那樣:
$ kubectl exec deploy/cli -- kubectl get cm foo
Error from server (Forbidden): configmaps "foo" is forbidden: User "system:serviceaccount:my-namespace:default" cannot get resource "configmaps" in API group "" in the namespace "my-namespace"
command terminated with exit code 1
如果您看到不同的行為,找出您的程序與我所做的不同的地方會很有趣。
你的 Go 代碼看起來也不錯;我可以在“cli”容器中運行它:
package main
import (
"context"
"fmt"
"log"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
)
func main() {
config, err := rest.InClusterConfig()
if err != nil {
panic(err.Error())
}
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
panic(err.Error())
}
namespace := "my-namespace"
configMapClient := clientset.CoreV1().ConfigMaps(namespace)
configMap, err := configMapClient.Get(context.TODO(), "config", metav1.GetOptions{})
if err != nil {
log.Fatalf("cannot obtain configmap: %v", err)
}
fmt.Printf("% v\n", configMap)
}
如果我將上面的內容編譯kubectl cp到容器中并運行它,我會得到輸出:
&ConfigMap{ObjectMeta:{config my-namespace 2ef6f031-7870-41f1-b091-49ab360b98da 2926 0 2022-10-15 03:22:34 0000 UTC <nil> <nil> map[app:rbactest] map[kubectl.kubernetes.io/last-applied-configuration:{"apiVersion":"v1","data":{"foo":"bar","this":"that"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"rbactest"},"name":"config","namespace":"my-namespace"}}
] [] [] [{kubectl-client-side-apply Update v1 2022-10-15 03:22:34 0000 UTC FieldsV1 {"f:data":{".":{},"f:foo":{},"f:this":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}},"f:labels":{".":{},"f:app":{}}}} }]},Data:map[string]string{foo: bar,this: that,},BinaryData:map[string][]byte{},Immutable:nil,}
轉載請註明出處,本文鏈接:https://www.uj5u.com/net/516032.html
標籤:Kuberneteskubernetes-go-clientKubernetes-rbac