1

我试图在我的环境中部署 Istio 并遇到以下错误。网上所有的解决方案都是关于集群角色绑定的,我尝试过这样做,但还是失败了。对我的问题有任何意见吗?

kubectl api 版本 | grep rbac

rbac.authorization.k8s.io/v1alpha1
rbac.authorization.k8s.io/v1beta1

sudo kubectl apply -f install/kubernetes/istio-rbac-beta.yaml

rolebinding "istio-pilot-admin-role-binding" configured
rolebinding "istio-ca-role-binding" configured
rolebinding "istio-ingress-admin-role-binding" configured
rolebinding "istio-sidecar-role-binding" configured

Error from server (Forbidden): 
error when creating"install/kubernetes/istio-rbac-beta.yaml": 
clusterroles.rbac.authorization.k8s.io "istio-pilot" is forbidden:
attempt to grant extra privileges: [{[*] [istio.io] [istioconfigs] [] 
[]} {[*] [istio.io] [istioconfigs.istio.io] [] []} {[*] [extensions] 
[thirdpartyresources] [] []} {[*] [extensions] 
[thirdpartyresources.extensions] [] []} {[*] [extensions] [ingresses] 
[] []} {[*] [] [configmaps] [] []} {[*] [] [endpoints] [] []} {[*] [] 
[pods] [] []} {[*] [] [services] [] []}] user=&{kubeconfig  
[system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]

Error from server (Forbidden): error when creating 
"install/kubernetes/istio-rbac-beta.yaml": 
clusterroles.rbac.authorization.k8s.io "istio-ca" is forbidden: 
attempt to grant extra privileges: [{[create] [] [secrets] [] []} 
{[get] [] [secrets] [] []} {[watch] [] [secrets] [] []} {[list] [] 
[secrets] [] []} {[watch] [] [serviceaccounts] [] []} {[list] [] 
[serviceaccounts] [] []}] user=&{kubeconfig  [system:authenticated] 
map[]} ownerrules=[] ruleResolutionErrors=[]

Error from server (Forbidden): error when creating 
"install/kubernetes/istio-rbac-beta.yaml": 
clusterroles.rbac.authorization.k8s.io "istio-sidecar" is forbidden: 
attempt to grant extra privileges: [{[get] [istio.io] [istioconfigs] [] 
[]} {[watch] [istio.io] [istioconfigs] [] []} {[list] [istio.io] 
[istioconfigs] [] []} {[get] [extensions] [thirdpartyresources] [] []} 
{[watch] [extensions] [thirdpartyresources] [] []} {[list] [extensions] 
[thirdpartyresources] [] []} {[update] [extensions] 
[thirdpartyresources] [] []} {[get] [extensions] [ingresses] [] []} 
{[watch] [extensions] [ingresses] [] []} {[list] [extensions] 
[ingresses] [] []} {[update] [extensions] [ingresses] [] []} {[get] [] 
[configmaps] [] []} {[watch] [] [configmaps] [] []} {[list] [] 
[configmaps] [] []} {[get] [] [pods] [] []} {[watch] [] [pods] [] []} 
{[list] [] [pods] [] []} {[get] [] [endpoints] [] []} {[watch] [] 
[endpoints] [] []} {[list] [] [endpoints] [] []} {[get] [] [services] 
[] []} {[watch] [] [services] [] []} {[list] [] [services] [] []}] 
user=&{kubeconfig  [system:authenticated] map[]} ownerrules=[] 
ruleResolutionErrors=[]
4

2 回答 2

2

Kubernetes 给您的错误基本上意味着它认为您尝试做的任何事情都是特权升级(这是正确的)并试图阻止这种情况。

RBAC API 可防止用户通过编辑角色或角色绑定来提升权限。因为这是在 API 级别强制执行的,所以即使没有使用 RBAC 授权方,它也适用。如果用户已经拥有角色中包含的所有权限,则用户只能在与角色相同的范围内创建/更新角色(ClusterRole 的集群范围,相同的命名空间内或角色的集群范围)。例如,如果“user-1”没有能力列出集群范围内的机密,他们就无法创建包含该权限的 ClusterRole。(取自这里

原因是因为应用到您用来访问集群的用户(使用 ClusterRoleBinding)的 ClusterRole 实际上并不具有您尝试授予应用程序的所有权限。要解决这个问题,您需要创建一个 ClusterRoleBinding 来为您的用户提供必要的权限。在您的情况下,将您绑定到为您提供无限权限的集群管理员角色是有意义的。

为此,您可以运行类似的东西:

kubectl create clusterrolebinding --clusterrole cluster-admin --user your-user
于 2017-08-11T00:49:00.847 回答
1

为了防止升级攻击,RBAC API 不允许您创建具有您的用户当前没有的权限的角色(或角色绑定到包含您没有的权限的角色)

该消息告诉您,您尝试创建的角色具有当前用户 (username=kubeconfig) 没有的权限

有关更多详细信息,请参阅https://kubernetes.io/docs/admin/authorization/rbac/#privilege-escalation-prevention-and-bootstrapping

于 2017-08-11T00:48:03.380 回答