k8s replicationcontrollers is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "replicationcontrollers" in API group "" in the namespace "default"

k8s dashboard安装完成之后，kubectl describe secret kubernetes-dashboard-token-7nxrg -n kubernetes-dashboard,输入得到的token，然后浏览器登录发现资源一个都没有，右上角一直报错

费了老大的功夫才明白是serviceaccount的问题,k8sdashboard出厂的serviceaccount权限太低，需要配置一个admin用户，用它的token登录即可。

创建Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

创建ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

获取admin的token

kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"

用这个token重新登录

官方文档：https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md

转载k8s之RBAC授权模式 https://www.cnblogs.com/liusy01/p/14274815.html

posted @ 2022-03-14 15:45 风的低吟阅读(1628) 评论(0) 编辑收藏举报

刷新页面返回顶部

风的低吟

k8s replicationcontrollers is forbidden: User "system:serviceaccount:kubernetes-dashboard:kubernetes-dashboard" cannot list resource "replicationcontrollers" in API group "" in the namespace "default"

创建Service Account

创建ClusterRoleBinding

转载k8s之RBAC授权模式 https://www.cnblogs.com/liusy01/p/14274815.html

公告