1. 技术文章
  2. kubespray dashboard warning forbidden popups

kubespray dashboard warning forbidden popups

怎甘沉沦 提交于 2020-05-15 08:45:05

问题


I am trying to set up a new kubernetes cluster on one machine with kubespray (commit 7e84de2ae116f624b570eadc28022e924bd273bc).

After running the playbook (on a fresh ubuntu 16.04), I open the dashboard and see those warning popups:

- configmaps is forbidden: User "system:serviceaccount:default:default" cannot list configmaps in the namespace "default"
- persistentvolumeclaims is forbidden: User "system:serviceaccount:default:default" cannot list persistentvolumeclaims in the namespace "default"
- secrets is forbidden: User "system:serviceaccount:default:default" cannot list secrets in the namespace "default"
- services is forbidden: User "system:serviceaccount:default:default" cannot list services in the namespace "default"
- ingresses.extensions is forbidden: User "system:serviceaccount:default:default" cannot list ingresses.extensions in the namespace "default"
- daemonsets.apps is forbidden: User "system:serviceaccount:default:default" cannot list daemonsets.apps in the namespace "default"
- pods is forbidden: User "system:serviceaccount:default:default" cannot list pods in the namespace "default"
- events is forbidden: User "system:serviceaccount:default:default" cannot list events in the namespace "default"
- deployments.apps is forbidden: User "system:serviceaccount:default:default" cannot list deployments.apps in the namespace "default"
- replicasets.apps is forbidden: User "system:serviceaccount:default:default" cannot list replicasets.apps in the namespace "default"
- jobs.batch is forbidden: User "system:serviceaccount:default:default" cannot list jobs.batch in the namespace "default"
- cronjobs.batch is forbidden: User "system:serviceaccount:default:default" cannot list cronjobs.batch in the namespace "default"
- replicationcontrollers is forbidden: User "system:serviceaccount:default:default" cannot list replicationcontrollers in the namespace "default"
- statefulsets.apps is forbidden: User "system:serviceaccount:default:default" cannot list statefulsets.apps in the namespace "default"

The kubectl commands seem fine (proxy works, listing pods etc. return no error, /api is reachable), however, the dashboard seem unable to fetch any useful information. How should I go about debugging that?


回答1:


kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default

seems to do the trick - I'd welcome an explanation though. (Is it an oversight in kubespray? I need to set up a variable there? Is it related to RBAC?)




回答2:


The dashboard pod is running with default service account , and that account by default dont have permissions, you can see the token of the default service account inside th dashboard pod:

kubectl exec -it <dashboard-pod> bash
ls -al /var/run/secrets/kubernetes.io/serviceaccount

The command you run in your answer , sets the required permisions for the default service account used by dashboard pod.



来源:https://stackoverflow.com/questions/52954810/kubespray-dashboard-warning-forbidden-popups

标签
Kubernetes
kubespray
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!