作者:陈宏儒64721 | 来源:互联网 | 2022-11-23 19:53
我正在本地使用kubernetes
虽然我使用kubernetes构建gitlab有一些问题。我认为这与serviceaccount或角色绑定有关。但找不到正确的方法
我找到了这些帖子
Kubernetes日志,用户“ system:serviceaccount:default:default”无法在名称空间中获取服务
https://github.com/kubernetes/kops/issues/3551
我的错误记录
==> /var/log/gitlab/prometheus/current <==
2018-12-24_03:06:08.88786 level=error ts=2018-12-24T03:06:08.887812767Z caller=main.go:240 compOnent=k8s_client_runtime err="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:372: Failed to list *v1.Node: nodes is forbidden: User \"system:serviceaccount:default:default\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"
2018-12-24_03:06:08.89075 level=error ts=2018-12-24T03:06:08.890719525Z caller=main.go:240 compOnent=k8s_client_runtime err="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:320: Failed to list *v1.Pod: pods is forbidden: User \"system:serviceaccount:default:default\" cannot list resource \"pods\" in API group \"\" at the cluster scope"
Prafull Ladh..
8
该问题是由于您的默认服务帐户无权获取群集范围内的节点或Pod。要解决的最小群集角色和群集角色绑定是:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prom-admin
rules:
# Just an example, feel free to change it
- apiGroups: [""]
resources: ["pods", "nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: prom-rbac
subjects:
- kind: ServiceAccount
name: default
roleRef:
kind: ClusterRole
name: prom-admin
apiGroup: rbac.authorization.k8s.io
上面的群集角色为默认服务帐户提供了访问任何名称空间中任何Pod或节点的权限。
您可以更改群集角色以向服务帐户提供更多权限,如果您想授予对默认服务帐户的所有访问权限,则替换resources: ["*"]为prom-admin
希望这可以帮助。
1> Prafull Ladh..:
该问题是由于您的默认服务帐户无权获取群集范围内的节点或Pod。要解决的最小群集角色和群集角色绑定是:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: prom-admin
rules:
# Just an example, feel free to change it
- apiGroups: [""]
resources: ["pods", "nodes"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: prom-rbac
subjects:
- kind: ServiceAccount
name: default
roleRef:
kind: ClusterRole
name: prom-admin
apiGroup: rbac.authorization.k8s.io
上面的群集角色为默认服务帐户提供了访问任何名称空间中任何Pod或节点的权限。
您可以更改群集角色以向服务帐户提供更多权限,如果您想授予对默认服务帐户的所有访问权限,则替换resources: ["*"]为prom-admin
希望这可以帮助。
![扫描线三巨头 hdu1928hdu 1255 hdu 1542 [POJ 1151]](https://img.php1.cn/3c972/245b5/42f/19446f78530d3747.jpeg)
京公网安备 11010802041100号