- kubectl get pods -A -o wide
- 查看日志发现
- pods "kube-flannel-ds-amd64-xxxxx" is forbidden: User "system:serviceaccount:kube-system:flannel" cannot get resource "pods" in API group "" in the namespace "kube-system"
- 也就是说flannel用户不能访问kube-system空间下的pods资源
- 但kube-flannel空间下的pod都正常,说明这个集群角色绑定需要再把kube-system空间再绑一下即可
- kubectl describe clusterrolebinding -A
kubectl get clusterrole -A |grep flannelflannel kubectl describe clusterrole flannelName: flannel
Labels: k8s-app=flannel
Annotations: <none>
PolicyRule:Resources Non-Resource URLs Resource Names Verbs--------- ----------------- -------------- -----nodes [] [] [get list watch]pods [] [] [get]clustercidrs.networking.k8s.io [] [] [list watch]nodes/status [] [] [patch]
- 查到有一个clusterrole=flannel 集群角色,直接给他们绑定即可
- kubectl create clusterrolebinding add-on-flannel
- --clusterrole=flannel
- --serviceaccount=kube-system:flannelkubectl describe clusterrolebinding -A
- #新添加的clusterrolebinding将flannel用户绑定到了kube-system空间,解决上面的异常
- Name: add-on-flannel
- Labels: <none>
- Annotations: <none>
- Role:
- Kind: ClusterRole
- Name: flannel
- Subjects:
- Kind Name Namespace
- ServiceAccount flannel kube-system
- #之前有一个clusterrolebinding将flannel用户绑定到了kube-flannel空间
- Name: flannel
- Labels: k8s-app=flannel
- Annotations: <none>
- Role:
- Kind: ClusterRole
- Name: flannel
- Subjects:
- Kind Name Namespace
- ServiceAccount flannel kube-flannel
- 三个节点上的kube-flannel-ds-amd64-xxxxx容器过会都自动启动了
参考:k8s--普通k8s集群---使用rolebinding限制或增加访问命名空间以及可执行操作权限-CSDN博客
