Я хочу наблюдать за событиями k8s для мониторинга. Теперь я проделал следующие шаги:
1. create a serviceaccount
2. create a role, allow list/get/watch events
3. create rolebinding
но процесс, кроме ошибки с запрещенным, что-то не так?
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-events
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kube-events
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: kube-events
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kube-events
subjects:
- kind: ServiceAccount
name: kube-events
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Mon, 11 Nov 2019 09:26:34 GMT', 'Content-Length': '287'})
HTTP response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"events is forbidden: User \\"system:serviceaccount:kkmh-ruly:kube-events\\" cannot watch resource \\"events\\" in API group \\"\\" at the cluster scope","reason":"Forbidden","details":{"kind":"events"},"code":403}\n'