获得Exec失败:在k8s上提交spark时的HTTP 403
spark版本:v2.4.0
eks info:v1.10.11-eks
提交后,出现错误信息如下:
019-02-21 15:08:44 WARN WatchConnectionManager:185 - 执行失败:HTTP 403,状态:403 - 禁止使用pod:用户“system:anonymous”无法查看名称空间中的pod“spark”java.net.ProtocolException:预计HTTP 101响应但是'403 Forbidden'
线程“main”中的异常io.fabric8.kubernetes.client.KubernetesClientException:pods被禁止:用户“system:anonymous”无法在命名空间“spark”中观看pod
写回答
-
整合最优质的专家资源和技术资料,问答解疑您需要为系统创建角色:匿名用户在您的命名空间中观察pod,类似于下面的yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: spark # your namespace
name: pod-reader # Role name will be needed for binding to user
rules:- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
然后,您需要创建RoleBindging以将此角色绑定到系统:匿名用户与yaml类似This role binding allows "system:anonymous" to read pods in the "spark" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: spark # your namespace
subjects:- kind: User
name: system:anonymous # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io2019-07-17 23:29:10赞同 展开评论 打赏 - apiGroups: [""] # "" indicates the core API group
版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
