我有以下内容:
apiVersion: v1
kind: ServiceAccount
metadata:
name: SomeServiceAccount
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: SomeClusterRole
rules:
- apiGroups:
- "myapi.com"
resources:
- 'myapi-resources'
verbs:
- '*'
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: SomeClusterRoleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: SomeClusterRole
subjects:
- kind: ServiceAccount
name: SomeServiceAccount
但它抛出:The ClusterRoleBinding "SomeClusterRoleBinding" is invalid: subjects[0].namespace: Required value
我认为整个要点"Cluster"RoleBinding
是它不限于单个名称空间。任何人都可以解释一下吗?
库伯内特版本1.13.12
Kubectl版本v1.16.2
Thanks.
创建 ServiceAccount 时不需要设置命名空间,这里的情况是,在创建 ClusterRoleBinding 时引用服务帐户以选择它时,需要指定它的命名空间。
ServiceAccounts 是命名空间范围的主题,因此当您引用
他们,您必须指定您的服务帐户的名称空间
想要绑定。Source https://github.com/kubernetes/kubernetes/issues/29177#issuecomment-240712588
例如,在您的情况下,您可以在创建 ClusterRoleBinding 时使用默认命名空间。
通过这样做,您不会将 ClusterRoleBinding 绑定到命名空间,如本示例中所示。
$ kubectl get clusterrolebinding.rbac.authorization.k8s.io/tiller -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"tiller"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"tiller","namespace":"kube-system"}]}
creationTimestamp: "2019-11-18T13:47:59Z"
name: tiller
resourceVersion: "66715"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/tiller
uid: 085ed826-0a0a-11ea-a665-42010a8000f7
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)