k8s服务调用报错MessageForbidden!Configured service account doesnt have access
将微服务部署在k8s中,使用k8s的服务发现调用另外一个服务的接口
2020-11-27 17:09:03,473 WARN org.springframework.cloud.kubernetes.StandardPodUtils (StandardPodUtils.java:79)- Failed to get pod with name:[hotel-qunar-api-7cc9d4dd7b-qbn5c]. You should look into this if things aren’t working as you expect. Are you missing serviceaccount permissions? io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.96.0.1/api/v1/namespaces/hotel/pods/hotel-qunar-api-7cc9d4dd7b-qbn5c. Message: Forbidden!Configured service account doesn’t have access. Service account may have been revoked. pods “hotel-qunar-api-7cc9d4dd7b-qbn5c” is forbidden: User “system:serviceaccount:hotel:default” cannot get resource “pods” in API group "” in the namespace “hotel”.
解惑
意思是serviceaccount 中 hotel:default 没有权限
vi sa.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: service-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["services"]
verbs: ["get", "watch", "list"]
然后执行
kubectl create clusterrolebinding default --clusterrole=default --serviceaccount=hotel:default
可参考gitlab的权限如下
# 授权全部权限到单个命名空间
cat << EOF | kubectl apply -f -
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gitlab-admin
namespace: gitlab
rules:
- verbs:
- '*'
apiGroups:
- '*'
resources:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gitlab-admin-binding
namespace: gitlab
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: gitlab-admin
subjects:
- kind: ServiceAccount
name: gitlab
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab
namespace: gitlab
EOF
# 全局授权 admin 权限
cat << EOF | kubectl apply -f -
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gitlab-admin
rules:
- verbs:
- '*'
apiGroups:
- '*'
resources:
- '*'
- verbs:
- '*'
nonResourceURLs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gitlab-admin
subjects:
- kind: ServiceAccount
name: gitlab
namespace: gitlab
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab
namespace: gitlab
EOF
文章作者 🐳Myki
上次更新 2020-12-01