无法加载集群内配置。

huangapple go评论92阅读模式
英文:

Unable to load in-cluster configuration

问题

我写了一个 Go 应用程序,它将列出集群中的所有约束违规情况。当尝试将其构建为 Docker 镜像并在我的 Pod 中运行时,出现了以下错误。

pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: opa
  labels:

    name: opa
spec:
  containers:
  - name: opa
    image: sathya0803/opa-task:latest
    resources:
      limits:
        memory: "128Mi"
        cpu: "500m"
    ports:
      - containerPort: 8000

错误信息:

revaa@revaa-Lenovo-E41-25:~/opa$ kubectl logs opa
2021/07/30 05:50:12 Using incluster K8S client
2021/07/30 05:50:12 Using incluster K8S client
2021/07/30 05:50:12 err:k8srequiredlabels.constraints.gatekeeper.sh is forbidden: User "system:serviceaccount:default:opa" cannot list resource "k8srequiredlabels" in API group "constraints.gatekeeper.sh" at 
 the cluster scope
 2021/07/30 05:50:12 listing constraints violations...
 2021/07/30 05:50:12 data: null
英文:

I wrote a go app which will list all the constraint violation in the cluster.When tried to build it as docker image and run it in my pod and getting this error.

pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: opa
  labels:

    name: opa
spec:
  containers:
  - name: opa
    image: sathya0803/opa-task:latest
    resources:
      limits:
        memory: "128Mi"
        cpu: "500m"
    ports:
      - containerPort: 8000

ERROR:

revaa@revaa-Lenovo-E41-25:~/opa$ kubectl logs opa
2021/07/30 05:50:12 Using incluster K8S client
2021/07/30 05:50:12 Using incluster K8S client
2021/07/30 05:50:12 err:k8srequiredlabels.constraints.gatekeeper.sh is forbidden: User"system:serviceaccount:default:opa" cannot list resource "k8srequiredlabels" in API group "constraints.gatekeeper.sh" at 
 the cluster scope
 2021/07/30 05:50:12 listing constraints violations...
 2021/07/30 05:50:12 data: null

答案1

得分: 1

如@Ferdy Pruis所提到的,您正在使用的服务帐号没有足够的权限来使用Kubernetes API执行任务。请检查以下RBAC以使用适当的权限创建自己的服务帐号。

这将授予默认服务帐号查看权限。更安全的方法可能是创建一个新的服务帐号,授予它查看权限,然后将该服务帐号分配给部署配置。

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: default-view
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default

请参考以下链接了解创建和管理服务帐号IAM

英文:

As mentioned by @Ferdy Pruis the service account you are using does not have the necessary privileges to perform the task using the kubernetes API. Check the below RBAC to provision your own service account with the appropriate permissions.

This will grant the default service account view permissions. A more secure approach would probably be to create a new service account, grant it the view permissions, and then assign that service account to deployment configuration.

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: default-view
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
  - kind: ServiceAccount
    name: default
    namespace: default

Refer these links for creating and managing SA and IAM.

huangapple
  • 本文由 发表于 2021年7月30日 11:32:52
  • 转载请务必保留本文链接:https://go.coder-hub.com/68585145.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定