- kubectl get pods -A -o wide

- 查看日志发现

- pods "kube-flannel-ds-amd64-xxxxx" is forbidden: User "system:serviceaccount:kube-system:flannel" cannot get resource "pods" in API group "" in the namespace "kube-system"

- 也就是说flannel用户不能访问kube-system空间下的pods资源
- 但kube-flannel空间下的pod都正常，说明这个集群角色绑定需要再把kube-system空间再绑一下即可
 

- kubectl describe clusterrolebinding -A

kubectl get clusterrole -A |grep flannel

flannel        
                                                   
kubectl describe clusterrole flannel


Name:         flannel
Labels:       k8s-app=flannel
Annotations:  <none>
PolicyRule:
  Resources                       Non-Resource URLs  Resource Names  Verbs
  ---------                       -----------------  --------------  -----
  nodes                           []                 []              [get list watch]
  pods                            []                 []              [get]
  clustercidrs.networking.k8s.io  []                 []              [list watch]
  nodes/status                    []                 []              [patch]

- 查到有一个clusterrole=flannel 集群角色，直接给他们绑定即可

- kubectl create clusterrolebinding add-on-flannel 
- --clusterrole=flannel 
- --serviceaccount=kube-system:flannel

kubectl describe clusterrolebinding -A

- #新添加的clusterrolebinding将flannel用户绑定到了kube-system空间，解决上面的异常
- Name:         add-on-flannel
- Labels:       <none>
- Annotations:  <none>
- Role:
- Kind:  ClusterRole
- Name:  flannel
- Subjects:
- Kind            Name     Namespace
- ServiceAccount  flannel  kube-system

- #之前有一个clusterrolebinding将flannel用户绑定到了kube-flannel空间
- Name:         flannel
- Labels:       k8s-app=flannel
- Annotations:  <none>
- Role:
- Kind:  ClusterRole
- Name:  flannel
- Subjects:
- Kind            Name     Namespace
- ServiceAccount  flannel  kube-flannel

- 三个节点上的kube-flannel-ds-amd64-xxxxx容器过会都自动启动了

参考：k8s--普通k8s集群---使用rolebinding限制或增加访问命名空间以及可执行操作权限-CSDN博客