问题描述
我在集群中有两个吊舱.让我们将它们称为A和B.我已经在pod A内安装了kubectl,我试图使用kubectl exec -it podB -- bash
在pod A内的pod B内运行命令.我收到以下错误
I have two pods in a cluster. Lets call them A and B. I've installed kubectl inside pod A and I am trying to run a command inside pod B from pod A using kubectl exec -it podB -- bash
.I am getting the following error
Error from server (Forbidden): pods "B" is forbidden: User "system:serviceaccount:default:default" cannot create pods/exec in the namespace "default"
我创建了以下Role和RoleBinding以获取访问权限.角色yaml
I've created the following Role and RoleBinding to get access.Role yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: api-role
namespace: default
labels:
app: tools-rbac
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
角色绑定Yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: global-rolebinding
namespace: default
labels:
app: tools-rbac
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
任何帮助将不胜感激.谢谢
Any help is greatly appreciated. Thank you
推荐答案
除了像pods
一样,您还需要授予对pods/exec
子资源的访问权限.就是说,这是一件很奇怪的事情,可能很难思考这是否是最好的解决方案.
You would need to give access to the pods/exec
subresource in addition to pods
like you have there. That said, this is a very weird thing to do and probably think very hard as to if this is the best solution.
这篇关于如何使用同一k8s集群中的kubectl exec从另一个Pod中的一个Pod执行命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!