Kubernetes check serviceaccount permissions

后端 未结 1 1715
伪装坚强ぢ
伪装坚强ぢ 2021-01-30 11:24

When deploying a service via a Helm Chart, the installation failed because the tiller serviceaccount was not allowed to create a ServiceMonitor resourc

1条回答
  •  孤街浪徒
    2021-01-30 11:51

    After trying lots of things and Googling all over the universe I finally found this blogpost about Securing your cluster with RBAC and PSP where an example is given how to check access for serviceaccounts.

    The correct command is:
    kubectl auth can-i --as=system:serviceaccount:: [-n ]

    To check whether the tiller account has the right to create a ServiceMonitor object:
    kubectl auth can-i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging

    Note: to solve my issue with the tiller account, I had to add rights to the servicemonitors resource in the monitoring.coreos.com apiGroup. After that change, the above command returned yes (finally) and the installation of our Helm Chart succeeded.

    Updated tiller-manager role:

    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: tiller-manager
      labels:
        org: ipos
        app: tiller
      annotations:
        description: "Role to give Tiller appropriate access in namespace"
        ref: "https://docs.helm.sh/using_helm/#example-deploy-tiller-in-a-namespace-restricted-to-deploying-resources-only-in-that-namespace"
    rules:
    - apiGroups: ["", "batch", "extensions", "apps"]
      resources: ["*"]
      verbs: ["*"]
    - apiGroups:
        - monitoring.coreos.com
      resources:
        - servicemonitors
      verbs:
        - '*'
    

    0 讨论(0)
提交回复
热议问题