admission webhook "rancher.cattle.io.namespaces" denied the request Unauthorized

本文永久链接: https://www.xtplayer.cn/rancher/admission-webhook-rancher-cattle-io-namespaces-denied-the-request-unauthorized/

目前 admission webhook “rancher.cattle.io.namespaces” denied the request Unauthorized 这个报错，已知的在 tigera-operator 和 NeuVector controller 中出现过，主要原因是缺少了某些权限。可以根据实际使用，拷贝以下 yaml 导入集群添加对应的权限。

• tigera-operator

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tigera-operator-psa
rules:
- apiGroups:
  - management.cattle.io
  resources:
  - projects
  verbs:
  - updatepsa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tigera-operator-psa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tigera-operator-psa
subjects:
- kind: ServiceAccount
  name: tigera-operator
  namespace: tigera-operator

• neuvector

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: neuvector-psa
rules:
- apiGroups:
  - management.cattle.io
  resources:
  - projects
  verbs:
  - updatepsa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: neuvector-psa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: neuvector-psa
subjects:
- kind: ServiceAccount
  name: neuvector
  namespace: cattle-neuvector-system

参考 issue https://github.com/rancher/rancher/issues/41191