Kubernetes RBAC permission problem

Keywords: Nginx Kubernetes git github

Kubernetes RBAC permission problem

The following problem occurs in configuring Ingress, which is caused by RBAC configuration. RBAC starts referencing at kubernetes 1.6. The API version is also different, so you need to pay attention when configuring the yaml file. Here we use an example to solve the problem of RBAC. Of course, the concept of RBAC is not mentioned here.

1. problem1
I0531 02:36:29.882636       7 launch.go:101] &{NGINX 0.9.0-beta.7 git-c1b8a32 https://github.com/kubernetes/ingress}
I0531 02:36:29.882660       7 launch.go:104] Watching for ingress class: nginx
I0531 02:36:29.882815       7 launch.go:257] Creating API server client for https://10.254.0.1:443
F0531 02:36:29.914513       7 launch.go:118] no service with name kube-system/default-http-backend found: User "system:serviceaccount:kube-system:default" cannot get services in the namespace "kube-system". (get services default-http-backend)

2. problem2
 MountVolume.SetUp failed for volume "kubernetes.io/secret/6e55da79-e6de-11e7-8fc8-a2a5d2bd6632-fluentd-token-n74hg" (spec.Name: "fluentd-token-n74hg") pod "6e55da79-e6de-11e7-8fc8-a2a5d2bd6632" (UID: "6e55da79-e6de-11e7-8fc8-a2a5d2bd6632") with: secrets "fluentd-token-n74hg" not found

3. problem3
2017-06-15 03:05:29 +0000 [info]: adding match pattern="**" type="elasticsearch"
2017-06-15 03:05:29 +0000 [error]: config error file="/fluentd/etc/fluent.conf" error="Exception encountered fetching metadata from Kubernetes API endpoint: 403 Forbidden (User \"system:serviceaccount:kube-system:default\" cannot list pods at the cluster scope.)"
2017-06-15 03:05:29 +0000 [info]: process finished code=256
2017-06-15 03:05:29 +0000 [warn]: process died within 1 second. exit.
You have new mail in /var/spool/mail/root

The following Yaml can be configured according to its own project.

  1. Create Namespace
    Create a command space nginx ingress. Next, we will deal with nginx ingress. Therefore, you don't need to care about the name of the command space.
apiVersion: v1
kind: Namespace
metadata:
  name: nginx-ingress
  1. Create ServiceAccount
    Create a ServiceAccount named nginx-ingress-serviceaccount. namespace is the nginx-ingress just created.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  namespace: nginx-ingress

In deployment, we call the ServiceAccount through serviceaccountname: kubernetes dashboard.

  1. Create ClusterRole
    Create a ClusterRole named nginx-ingress-clusterrole. And assign the corresponding permissions through rules. Note that apiVersion is rbac.authorization.k8s.io/v1beta1, because kubernetes 1.6 is used here. In other versions, rbac.authorization.k8s.io/v1 is used.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
        - events
    verbs:
        - create
        - patch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses/status
    verbs:
      - update
  1. Create Role
    Create a Role named nginx ingress Role, which belongs to the command space of nginx ingress, and assign corresponding permissions through rules.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: nginx-ingress
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
      - create
      - update
  1. Create RoleBinding
    Create a role binding named nginx ingress role Nisa binding, and set the namespace to nginx ingress.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: nginx-ingress
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: nginx-ingress
  1. Create RoleBinding
    Create a RoleBinding.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
namespace: nginx-ingress

Posted by JayBachatero on Mon, 04 May 2020 16:58:37 -0700

Hot Keywords

©2024 Programmer Group