我正在嘗試自動更新 ECR 憑證並透過 CronJob 將令牌儲存在秘密中。每當我執行 CronJob 時,我都會在結果作業日誌中收到以下錯誤
2023-09-14T20:11:20.326837046Z error: failed to create secret secrets is forbidden: User "system:serviceaccount:cfh:default" cannot create resource "secrets" in API group "" in the namespace "cfh"
有趣的是,這似乎在刪除步驟上沒有失敗。我想知道這個問題是否與kubectl create secret docker-registry除了標準秘密動詞之外的不同角色權限有關,因為它的類型是docker-registry,但我不確定。
我的 CronJob YAML 如下:
apiVersion: batch/v1
kind: CronJob
metadata:
name: ecr-registry-helper
creationTimestamp: '2023-09-11T00:06:03Z'
generation: 25
namespace: cfh
fields:
- ecr-registry-helper
- 0 */10 * * *
- 'False'
- 0
- 11m
- 3d20h
- ecr-registry-helper
- omarxs/awskctl:v1.0
- <none>
spec:
concurrencyPolicy: Allow
failedJobsHistoryLimit: 1
jobTemplate:
metadata:
creationTimestamp: null
namespace: cfh
spec:
template:
metadata:
creationTimestamp: null
spec:
containers:
- command:
- /bin/bash
- '-c'
- >-
ECR_TOKEN=`aws ecr get-login-password --region ${AWS_REGION}`
NAMESPACE_NAME=cfh
kubectl delete secret --ignore-not-found regcred -n
$NAMESPACE_NAME
echo "deleted secret"
kubectl create secret docker-registry regcred
--docker-server=https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com
--docker-username=AWS --docker-password="${ECR_TOKEN}" -n $NAMESPACE_NAME
echo "Secret was successfully updated at $(date)"
envFrom:
- secretRef:
name: ecr-registry-helper-secrets
- configMapRef:
name: ecr-registry-helper-cm
image: omarxs/awskctl:v1.0
imagePullPolicy: IfNotPresent
name: ecr-registry-helper
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
_init: false
__active: true
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
schedulerName: default-scheduler
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
schedule: 0 */10 * * *
successfulJobsHistoryLimit: 2
suspend: false
__clone: true
以及我的 ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
creationTimestamp: '2023-09-10T22:14:31Z'
namespace: cfh
fields:
- default
- 0
- 3d21h
automountServiceAccountToken: false
__clone: true
角色
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: '2023-09-11T00:06:03Z'
name: role-full-access-to-secrets
namespace: cfh
rules:
- apiGroups:
- ''
resourceNames:
- regcred
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
和角色綁定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: '2023-09-11T00:06:03Z'
name: default-role-binding
namespace: cfh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role-full-access-to-secrets
subjects:
- kind: ServiceAccount
name: default
namespace: cfh
答案1
感謝@veera-nagireddy 幫助我解決這個問題(請參閱他對原始帖子的評論以了解一些其他背景信息)
問題是,CronJob儘管cfh承擔了ServiceAccount.為了解決這個問題,我還必須創建一個ClusterRole&來授予在命名空間中改變秘密ClusterRoleBinding的權限。ServiceAccountcfh
集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: '2023-09-16T02:39:55Z'
name: ecr-registry-helper-cluster-role
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- create
- delete
- update
叢集角色綁定:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: '2023-09-16T02:42:42Z'
name: ecr-registry-helper-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ecr-registry-helper-cluster-role
subjects:
- kind: ServiceAccount
name: default
namespace: cfh
創建這兩個資源後,我能夠成功創建秘密。