기타/K8S
Kubernetes) Forbidden User 보는 방법_role,sa
MightyTedKim
2021. 11. 23. 19:55
728x90
반응형
Forbidden 에러, clusterrole과 serviceaccount로 해결
clusterrole과 serviceaccount 확인하기
spark 테스트하는 도중 권한 관련 로그를 접했어요
| #kubernetes.client.rest.ApiException: (403) #Reason: Forbidden #HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Fri, 19 Nov 2021 06:50:38 GMT', 'Content-Length': '417'}) #HTTP response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \\"spark-312-cluster-name.daf0f642f2e34cf69d7faee69da39682\\" is forbidden: User \\"system:serviceaccount:airflow:airflow-worker\\" cannot get resource \\"pods/log\\" in API group \\"\\" in the namespace \\"default\\"","reason":"Forbidden","details":{"name":"spark-312-cluster-name.daf0f642f2e34cf69d7faee69da39682","kind":"pods"},"code":403}\n' |
로그는 이렇게 해석할 수 있어요
- pods \\"spark-312-cluster-name.daf0f642f2e34cf69d7faee69da39682\\" is forbidden
- 권한 문제구나
- k edit clustrerrole airflow-worker -n airflow
- User \\"system:serviceaccount:airflow:airflow-worker\\" cannot get resource
- 특정 user를 알려주는구나
- k get [리소스] --as system:serviceaccount:airflow:airflow-worker
- \\"pods/log\\" in API group \\"\\"
- logs를 못보는 거구나
- k logs [POD명]-as system:serviceaccount:airflow:airflow-worker
- in the namespace \\"default\\""
- ns가 default 구나
- k logs spark-312-cluster-name.daf0f642f2e34cf69d7faee69da39682-as system:serviceaccount:airflow:airflow-worker -n default
확인해보니 권한이 없어서 오류가 나오더라고요
clusterrole에 pods/log를 추가하고, clusterrolebinding에 user를 추가해줫어요
clusterrole 확인
clustrole에 pods/log 정책을 추가해줘요
| $ k edit clusterrole sparkoperator-spark-operator - apiGroups: - "" resources: - pods - pods/log # 이 부분 추락해서 해결 verbs: - '*' $ k describe clusterrole sparkoperator-spark-operator Name: sparkoperator-spark-operator Labels: app.kubernetes.io/instance=sparkoperator app.kubernetes.io/managed-by=Helm app.kubernetes.io/name=spark-operator app.kubernetes.io/version=v1beta2-1.2.3-3.1.1 helm.sh/chart=spark-operator-1.1.7 Annotations: meta.helm.sh/release-name: sparkoperator meta.helm.sh/release-namespace: default PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods/log [] [] [*] pods [] [] [*] scheduledsparkapplications.sparkoperator.k8s.io/status [] [] [*] scheduledsparkapplications.sparkoperator.k8s.io [] [] [*] sparkapplications.sparkoperator.k8s.io/status [] [] [*] sparkapplications.sparkoperator.k8s.io [] [] [*] configmaps [] [] [create get delete update] secrets [] [] [create get delete update] services [] [] [create get delete update] ingresses.extensions [] [] [create get delete] ingresses.networking.k8s.io [] [] [create get delete] mutatingwebhookconfigurations.admissionregistration.k8s.io [] [] [create get update delete] validatingwebhookconfigurations.admissionregistration.k8s.io [] [] [create get update delete] customresourcedefinitions.apiextensions.k8s.io [] [] [create get update delete] events [] [] [create update patch] jobs.batch [] [] [delete] resourcequotas [] [] [get list watch] nodes [] [] [get] |
serviceaccount 확인
airflow-worker가 정책에 권한을 갖도록 추가해줘요
| $ k edit clusterrolebinding sparkoperator-spark-operator subjects: - kind: ServiceAccount name: airflow-worker namespace: airflow $ k describe clusterrolebinding sparkoperator-spark-operator Name: sparkoperator-spark-operator Labels: app.kubernetes.io/instance=sparkoperator app.kubernetes.io/managed-by=Helm app.kubernetes.io/name=spark-operator app.kubernetes.io/version=v1beta2-1.2.3-3.1.1 helm.sh/chart=spark-operator-1.1.7 Annotations: meta.helm.sh/release-name: sparkoperator meta.helm.sh/release-namespace: default Role: Kind: ClusterRole Name: sparkoperator-spark-operator Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount sparkoperator-spark-operator default ServiceAccount airflow-worker airflow |
그러면 결과가 잘 나오는 것을 확인할 수 있어요
728x90
반응형