pods

pods

关注
发信
关注(28)粉丝(399)

如何为kubernetes集群中的所有名称空间创建服务帐户?

本文介绍了如何为kubernetes集群中的所有名称空间创建服务帐户?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

所以我有名称空间

ns1,ns2,ns3和ns4.

ns1, ns2, ns3, and ns4.

我在ns1中有一个服务帐户sa1.我正在将Pod部署到使用sa1的ns2,ns4.当我查看日志时,它告诉我找不到ns2中的sa1.

I have a service account sa1 in ns1. I am deploying pods to ns2, ns4 that use sa1. when I look at the logs it tells me that the sa1 in ns2 can't be found.

错误:

创建错误:广告连播"web-test-2-795f5fd489-"禁止:错误查找服务帐户ns2/sa:serviceaccount"sa";找不到

Error creating: pods "web-test-2-795f5fd489-" is forbidden: error looking up service account ns2/sa: serviceaccount "sa" not found

是否有一种方法可以使服务帐户在整个群集范围内?或者,我可以使用相同的机密创建多个服务帐户吗?在不同的命名空间中?

Is there a way to make service accounts cluster wide? Or, can I create multiple service accounts with the same secret? in different namespaces?

推荐答案

您可以使用它

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubernetes-enforce
rules:
- apiGroups: ["apps"]
  resources: ["deployments","pods","daemonsets"]
  verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["*"]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]

---
apiVersion: v1
kind: ServiceAccount

metadata:
  name: kubernetes-enforce
  namespace: kube-system
---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-logging
  namespace: cattle-logging
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-prome
  namespace: cattle-prometheus
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-system
  namespace: cattle-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-enforce-default
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-enforce
subjects:
- kind: ServiceAccount
  name: kubernetes-enforce
  namespace: kube-system

这篇关于如何为kubernetes集群中的所有名称空间创建服务帐户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-13 12:23
Powered by LMLPHP ©2024 pods 0.038293