由于 RBAC 服务帐户问题,Kubernetes cronjob 无法创建密钥

由于 RBAC 服务帐户问题,Kubernetes cronjob 无法创建密钥

我正在尝试通过 CronJob 自动更新 ECR 凭证并将令牌存储在机密中。每当我运行 CronJob 时,我都会在生成的作业日志中收到以下错误

2023-09-14T20:11:20.326837046Z error: failed to create secret secrets is forbidden: User "system:serviceaccount:cfh:default" cannot create resource "secrets" in API group "" in the namespace "cfh"

有趣的是,这似乎并没有在删除步骤中失败。我想知道这个问题是否与kubectl create secret docker-registry拥有除标准秘密动词之外的不同角色权限有关,因为它属于 类型docker-registry,但我不确定。

我的 CronJob YAML 如下所示:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: ecr-registry-helper
  creationTimestamp: '2023-09-11T00:06:03Z'
  generation: 25
  namespace: cfh
  fields:
    - ecr-registry-helper
    - 0 */10 * * *
    - 'False'
    - 0
    - 11m
    - 3d20h
    - ecr-registry-helper
    - omarxs/awskctl:v1.0
    - <none>
spec:
  concurrencyPolicy: Allow
  failedJobsHistoryLimit: 1
  jobTemplate:
    metadata:
      creationTimestamp: null
      namespace: cfh
    spec:
      template:
        metadata:
          creationTimestamp: null
        spec:
          containers:
            - command:
                - /bin/bash
                - '-c'
                - >-
                  ECR_TOKEN=`aws ecr get-login-password --region ${AWS_REGION}`
            
                  NAMESPACE_NAME=cfh
            
                  kubectl delete secret --ignore-not-found regcred -n
                  $NAMESPACE_NAME
            
                  echo "deleted secret"
            
                  kubectl create secret docker-registry regcred
                  --docker-server=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
                  --docker-username=AWS --docker-password="${ECR_TOKEN}" -n $NAMESPACE_NAME
            
                  echo "Secret was successfully updated at $(date)"
              envFrom:
                - secretRef:
                    name: ecr-registry-helper-secrets
                - configMapRef:
                    name: ecr-registry-helper-cm
              image: omarxs/awskctl:v1.0
              imagePullPolicy: IfNotPresent
              name: ecr-registry-helper
              terminationMessagePath: /dev/termination-log
              terminationMessagePolicy: File
              _init: false
              __active: true
              resources: {}
          dnsPolicy: ClusterFirst
          restartPolicy: Never
          schedulerName: default-scheduler
          serviceAccount: default
          serviceAccountName: default
          terminationGracePeriodSeconds: 30
  schedule: 0 */10 * * *
  successfulJobsHistoryLimit: 2
  suspend: false
__clone: true

以及我的 ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  creationTimestamp: '2023-09-10T22:14:31Z'
  namespace: cfh
  fields:
    - default
    - 0
    - 3d21h
automountServiceAccountToken: false
__clone: true

角色

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: '2023-09-11T00:06:03Z'
  name: role-full-access-to-secrets
  namespace: cfh
rules:
  - apiGroups:
      - ''
    resourceNames:
      - regcred
    resources:
      - secrets
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch

和 RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: '2023-09-11T00:06:03Z'
  name: default-role-binding
  namespace: cfh
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-full-access-to-secrets
subjects:
  - kind: ServiceAccount
    name: default
    namespace: cfh

答案1

感谢@veera-nagireddy 帮助我解决这个问题(请参阅他对原始帖子的评论以了解更多背景信息)

问题是,尽管承担了 的角色,但CronJob本身却没有在命名空间中创建/更新机密的权限。为了解决这个问题,我还必须创建一个& ,授予更改命名空间中机密的权限。cfhServiceAccountClusterRoleClusterRoleBindingServiceAccountcfh

集群角色:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: '2023-09-16T02:39:55Z'
  name: ecr-registry-helper-cluster-role
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - create
      - delete
      - update

集群角色绑定(ClusterRoleBinding):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: '2023-09-16T02:42:42Z'
  name: ecr-registry-helper-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ecr-registry-helper-cluster-role
subjects:
  - kind: ServiceAccount
    name: default
    namespace: cfh

创建这两个资源后,我就能成功创建秘密了。

相关内容