设置配置环境:
[candidate@node-1] $ kubectl config use-context k8s
COPY Task 在名为 honeybee-deployment 的 Deployment 和 namespace gorilla 中的一个 Pod 正在记录错误
- 查看日志以识别错误消息 找出错误,包括 User "system:serviceaccount:gorilla:default "can not list resource "serviceaccounts "[…] in the namespace "gorilla"
- 更新 Deployment honeybee-deployment 以解决 Pod 日志中的错误。 您可以在 /ckad/prompt-escargot/honeybee-deployment.yaml 中找到 honeybee-deployment 的 清单文件
解答: 先建一个模拟环境
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: honeybee-deployment
name: honeybee-deployment
namespace: gorilla
spec:
replicas: 2
selector:
matchLabels:
app: honeybee-deployment
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: honeybee-deployment
spec:
serviceAccountName: default
containers:
- image: nginx
name: nginx
resources: {}
status: {}
kubectl create ns gorilla
kubectl create role gorilla-role --verb=get --verb=list --resource=pods,serviceaccounts,deployments.apps -n gorilla
kubectl create rolebinding -h
kubectl create rolebinding gorilla-rolebinding -n gorilla --role=gorilla-role --serviceaccount=gorilla:gorilla-sa
这个题目考察是RBAC,报错出现的原因是deployment对应的serviceaccount没有对应权限,而有对应权限的serviceaccount没有正确设置为deployment的serviceaccount 查看错误日志
kubectl -n gorilla get pod
kubectl -n gorilla logs honeybee-deployment-bdfd994c-chbbl
COPY
考试时,无论是不能 list pods ,还是不能 list deployments ,或者不能 list serviceaccounts ,做法都一样。
查看deployment 的sa
kubectl -n gorilla describe deployments.apps honeybee-deployment
COPY
查看gorilla下的role,rolebinding,sa 详细信息
kubectl -n gorilla describe role,rolebinding,sa
COPY
可以看到, gorilla-role 具有 get list 权限, 对应的sa为 gorilla-sa,所以修改sa为 gorilla-sa
kubectl -n gorilla set serviceaccount deployments honeybee-deployment gorilla-sa
COPY 查看deployment 是否修改了sa
kubectl -n gorilla describe deployments.apps honeybee-deployment
COPY
检查并查看pod日志
kubectl -n gorilla get pod
