報錯信息:
Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. User "system:serviceaccount:mycomp-services-process:default" cannot get resource “pods” in API group "" in the namespace "sscp-sit"
報錯截圖:
解決方法:
在第一個錯誤中,問題是默認命名空間中的serviceaccount default無法獲取服務,因為它無法訪問list / get服務。 因此,您需要做的是使用clusterrolebinding為該用戶分配角色。
參考:https://www.e-learn.cn/content/wangluowenzhang/504150
遵循一組最低權限,您可以先創建一個可以訪問列表服務的角色:
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: sscp-sit-minimal namespace: sscp-sit rules: - apiGroups: - "" - "extensions" resources: - nodes - services - endpoints - namespaces - ingresses - secrets - pods verbs: - get - list - watch - apiGroups: - "" - "extensions" resources: - configmaps - events - ingresses/status verbs: - get - list - watch - update - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: sscp-sit-minimal namespace: sscp-sit roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: sscp-sit-minimal subjects: - kind: ServiceAccount name: default namespace: sscp-sit