试图使用kubectl - with : Error from server (禁止)：命名空间在AWS EKS集群中创建名称空间是被禁止的

link之家

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

会开车的紫菜 · HIVE 字符串去掉最后一个字符 - CSDN文库· 6 月前 ·

路过的香蕉 · 北京航空航天大学计算机学院· 1 年前 ·

近视的充电器 · 学院简介-经济学院· 1 年前 ·

谈吐大方的烤土司 · oracle ...· 2 年前 ·

淡定的茶壶 · 黑背信天翁姜诗诗变原形 - 抖音· 2 年前 ·

腾讯云

开发者社区

文档意见反馈控制台

首页 TVP

文章/答案/技术大牛

发布

kubectl create namespace ernie

Error from server (Forbidden): namespaces is forbidden: User "thera-eks" cannot create resource "namespaces" in API group "" at the cluster scope

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: full_access
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: full_access_role_binding
subjects:
- kind: User
  name: thera-eks
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: full_access
  apiGroup: rbac.authorization.k8s.io

data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::9967xxxxxxxx:role/eksctl-ops-nodegroup-linux-ng-sys-NodeInstanceRole-346VJPTOXI7L
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - eks-role
      - system:master
      rolearn: arn:aws:iam::9967xxxxxxxx:role/thera-eks
      username: thera-eks
  mapUsers: |
    - userarn: arn:aws:iam::9967xxxxxxxx:user/test-ecr
    username: test-ecr
    groups:
    - eks-role

 {
    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:ListImages",
                "ecr:PutImage",
                "ecr:UploadLayerPart",
                "ecr:GetAuthorizationToken"
            "Resource": "*"
            "Effect": "Allow",
            "Action": [
                "eks:*",
                "iam:ListRoles",
                "sts:AssumeRole"
            "Resource": "*"
}

kubectl auth can-i create namespace

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
- apiGroups: [""]
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
- kind: Group

试图使用kubectl - with : Error from server (禁止)：命名空间在AWS EKS集群中创建名称空间是被禁止的

2 个回答