问题
When I deploy my golang service to any namespace but the default namespace, the service is unable to retrieve pods on any namespace. The same service deployed on the default namespace works perfectly, using the golang client-go api.
Is this a security issue?
Thanks.
回答1:
This issue is permission issue. Since you are using rest.InClusterConfig(config) to create client. That means it using pod's service account as credential. So check whether that service account has the permission to get pods in any namespace.
if service account in the pod is not defined, then it will use
defaultservice account.
If RBAC is enabled in your cluster, then check the role binding in that namespace, to find out whether your service account has the permission.
# to see the list of role bindings in 'default' namespace
kubectl get rolebindings --namespace default
To see the specific rolebinding
kubectl get rolebindings ROLE-BINDING-NAME --namespace default -o yaml
Also you can create role and role binding to give permission. To know about RBAC role and role binding see here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
回答2:
Following is what I used on a minikube cluster to give the default service account access to crud ops on common resources. The obvious caveat is that you'd need to be careful on a real cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: crud-role
namespace: default
rules:
- apiGroups: ["", "apps", "batch"]
resources: [ "deployments", "jobs", pods", "replicasets", services" ]
verbs: [ "create", "get", "list", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: crud-role-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: crud-role
subjects:
- kind: ServiceAccount
name: default
namespace: default
来源:https://stackoverflow.com/questions/53394844/in-cluster-config-is-unable-to-get-pods-when-deployed-in-a-non-default-namespace