我正在运行kubernetes v1.11.5并且我正在为每个命名空间安装带有分蘖部署的头盔。让我们专注于一个命名空间。这是分蘖服务帐户配置：

apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller

namespace: marketplace-int

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
namespace: marketplace-int
rules:

• apiGroups:

  • ""
  • extensions
  • apps
  • rbac.authorization.k8s.io
  • roles.rbac.authorization.k8s.io
  • authorization.k8s.io
    resources: ["*"]

verbs: ["*"]

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-binding
namespace: marketplace-int
subjects:

• kind: ServiceAccount
  name: tiller

namespace: marketplace-int
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io
当我尝试部署图表时，我收到此错误：

Error: release citest failed: roles.rbac.authorization.k8s.io "marketplace-int-role-ns-admin" is forbidden:
attempt to grant extra privileges:
[{[] [] [*] [] []}] user=&{system:serviceaccount:marketplace-int:tiller 5c6af739-1023-11e9-a245-0ab514dfdff4
[system:serviceaccounts system:serviceaccounts:marketplace-int system:authenticated] map[]}
ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []}
{[get] [] [] [] [/api /api/ /apis /apis/ /healthz /openapi /openapi/ /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/ /version /version/]}
{[] [ extensions apps rbac.authorization.k8s.io roles.rbac.authorization.k8s.io authorization.k8s.io] [] [] []}] ruleResolutionErrors=[]
尝试为该命名空间创建rbac配置时出现错误（使用tiller sa）：

Source: marketplace/templates/role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:

app: citest
chart: marketplace-0.1.0
heritage: Tiller
release: citest
namespace: marketplace-int

name: marketplace-int-role-ns-admin
rules:

• apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
  错误消息清楚地表明，分蘖服务帐户没有权限，roles.rbac.authorization.k8s.io但是如前所示授予了该权限。