因此,当我尝试通过REST API列出内容时,是否有人确切知道我需要在ServiceAccount yaml中放置什么以便不被拒绝访问我的ServiceAccount:curl https:// $ KUBERNETES_SERVICE_HOST:$ KUBERNETES_PORT_443_TCP_PORT / api / v1 / namespaces / default / persistentvolumeclaims -X GET -k -H“授权:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)”用户“系统:serviceaccount:default:my-service-service-account “无法在命名空间”default“中列出persistentvolumeclaims .
我的RBAC serviceAccount在YAML中设置如下:
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.service.name }}-service-account
labels:
app: {{ .Values.service.name }}
automountServiceAccountToken: true
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: {{ .Values.service.name }}-role
labels:
app: {{ .Values.service.name }}
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list","delete"]
- apiGroups: [""] # "" indicates the core API group
resources: ["persistentvolumeclaims"]
verbs: ["get", "watch", "list","delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ .Values.service.name }}-role-binding
labels:
app: {{ .Values.service.name }}
subjects:
- kind: ServiceAccount
# Reference to upper's `metadata.name`
name: {{ .Values.service.name }}-service-account
# Reference to upper's `metadata.namespace`
namespace: default
roleRef:
kind: Role
name: {{ .Values.service.name }}-role
apiGroup: rbac.authorization.k8s.io
1 回答
您显示的角色仅允许默认命名空间中的pod的get / list / watch / delete权限
如果您需要有关持久性卷声明的列表权限,则还需要在您的角色中包含该动词和资源