我使用 Keycloak 作为我的 kubernetes 身份提供者。我正在使用 kubelogin 来获取 token 。 token 似乎有效,但我收到以下错误。我认为 ClusterRoleBinding 中存在一些不允许它工作的问题。
Error from server (Forbidden): pods is forbidden: User "test" cannot list resource "pods" in API group "" in the namespace "default"
附加信息
- --oidc-issuer-url=https://test1.example.com/auth/realms/kubernetes
- --oidc-username-claim=preferred_username
- --oidc-username-prefix=-
- --oidc-groups-claim=groups
- --oidc-client-id=kubernetes
- --oidc-ca-file=/etc/ssl/certs/ca.crt
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-rolebinding
subjects:
- kind: User
name: //test1.example.com.com/auth/realms/kubernetes#23fd6g03-e03e-450e-8b5d-07b19007c443
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
我有什么遗漏的东西可以让它工作吗?
最佳答案
经过大量挖掘,我可以找到问题所在。我们必须使用用户名本身,而不是为用户添加 keycloak url。这是示例 yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admin-rolebinding
subjects:
- kind: User
name: test
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
关于kubernetes - 登录时从 kubenetes 服务器获取错误 - ClusterRoleBinding,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61045374/