如何在角色定义中引用所有子资源?

时间:2019-09-10 13:45:44

标签: kubernetes rbac

这是一个简单的Kubernetes角色:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: temp-role
  namespace: stackoverflow
rules:
- apiGroups: [""]
  resources:
  - pods
  verbs:
  - get

这个角色允许我说kubectl get pod foobar,我可以得到豆荚。

但是,我现在无法获得豆荚日志:

Error from server (Forbidden): pods "foobar" is forbidden: User "system:serviceaccount:kube-system:myuser" cannot get resource "pods/log" in API group "" in the namespace "stackoverflow"

因此该错误告诉我有一个单独的子资源pods/log,需要在资源中明确提及。

有趣的是kubectl auth can-i对我说谎:

$ kubectl -n stackoverflow auth can-i get pods/log                                                                           
yes

好的,我们先解决这个问题,然后直接从子资源中提取收益:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: temp-role
  namespace: stackoverflow
rules:
- apiGroups: [""]
  resources:
  - pods
  - pods/log
  verbs:
  - get

现在我可以正确检索日志了!

那是什么问题

事实是,我正在尝试创建一个对某些特定资源(特别是ClusterRole ClusterRole的子集)具有读/写访问权限的edit,我希望我可以通过使用kubectl api-resources并允许从那里进行所有操作,但我不想允许的一些操作除外。

但是像pods/log这样的子资源没有出现在列表中,所以这种方法行不通-我阻止访问我打算公开的某些内容,但我什至不知道确切的含义。在尝试过pods/log之后,我才了解到它,但是发现它不起作用。

所以我正在寻找一种方法:

  • rules.resources中提及一个包含所有子资源的资源(我尝试过pods/*,但似乎没有任何作用)
  • 如果无法实现上述要求:获取所有资源和子资源的列表,以便我可以将它们分别在rules.resources中列入白名单。

有想法吗?

1 个答案:

答案 0 :(得分:1)

答案是受[Bash] [Kubernetes] Script to List All Available Resource/Sub-resource Name for RBAC Configuration文章的启发。

2个脚本,都对我有用:

_list=($(kubectl get --raw / |grep "^    \"/api"|sed 's/[",]//g')); 
for _api in ${_list[@]}; do
  _aruyo=$(kubectl get --raw ${_api} | jq .resources); 
  if [ "x${_aruyo}" != "xnull" ]; then 
    echo; 
    echo "===${_api}==="; 
    kubectl get --raw ${_api} | jq -r ".resources[].name"; 
  fi; 
done


_list=($(kubectl get --raw / |grep "^    \"/api"|sed 's/[",]//g')); for _api in ${_list[@]}; do _aruyo=$(kubectl get --raw ${_api} | jq .resources); if [ "x${_aruyo}" != "xnull" ]; then echo; echo "===${_api}==="; kubectl get --raw ${_api} | jq -r ".resources[].name"; fi; done

结果:

===/api/v1===
bindings
componentstatuses
configmaps
endpoints
events
limitranges
namespaces
namespaces/finalize
namespaces/status
nodes
nodes/proxy
nodes/status
persistentvolumeclaims
persistentvolumeclaims/status
persistentvolumes
persistentvolumes/status
pods
pods/attach
pods/binding
pods/eviction
pods/exec
pods/log
pods/portforward
pods/proxy
pods/status
podtemplates
replicationcontrollers
replicationcontrollers/scale
replicationcontrollers/status
resourcequotas
resourcequotas/status
secrets
serviceaccounts
serviceaccounts/token
services
services/proxy
services/status

===/apis/admissionregistration.k8s.io/v1beta1===
mutatingwebhookconfigurations
validatingwebhookconfigurations

===/apis/apiextensions.k8s.io/v1beta1===
customresourcedefinitions
customresourcedefinitions/status

===/apis/apiregistration.k8s.io/v1===
apiservices
apiservices/status

===/apis/apiregistration.k8s.io/v1beta1===
apiservices
apiservices/status

===/apis/apps/v1===
controllerrevisions
daemonsets
daemonsets/status
deployments
deployments/scale
deployments/status
replicasets
replicasets/scale
replicasets/status
statefulsets
statefulsets/scale
statefulsets/status

===/apis/apps/v1beta1===
controllerrevisions
deployments
deployments/rollback
deployments/scale
deployments/status
statefulsets
statefulsets/scale
statefulsets/status

===/apis/apps/v1beta2===
controllerrevisions
daemonsets
daemonsets/status
deployments
deployments/scale
deployments/status
replicasets
replicasets/scale
replicasets/status
statefulsets
statefulsets/scale
statefulsets/status

===/apis/authentication.k8s.io/v1===
tokenreviews

===/apis/authentication.k8s.io/v1beta1===
tokenreviews

===/apis/authorization.k8s.io/v1===
localsubjectaccessreviews
selfsubjectaccessreviews
selfsubjectrulesreviews
subjectaccessreviews

===/apis/authorization.k8s.io/v1beta1===
localsubjectaccessreviews
selfsubjectaccessreviews
selfsubjectrulesreviews
subjectaccessreviews

===/apis/autoscaling/v1===
horizontalpodautoscalers
horizontalpodautoscalers/status

===/apis/autoscaling/v2beta1===
horizontalpodautoscalers
horizontalpodautoscalers/status

===/apis/batch/v1===
jobs
jobs/status

===/apis/batch/v1beta1===
cronjobs
cronjobs/status

===/apis/certificates.k8s.io/v1beta1===
certificatesigningrequests
certificatesigningrequests/approval
certificatesigningrequests/status

===/apis/cloud.google.com/v1beta1===
backendconfigs

===/apis/coordination.k8s.io/v1beta1===
leases

===/apis/extensions/v1beta1===
daemonsets
daemonsets/status
deployments
deployments/rollback
deployments/scale
deployments/status
ingresses
ingresses/status
networkpolicies
podsecuritypolicies
replicasets
replicasets/scale
replicasets/status
replicationcontrollers
replicationcontrollers/scale

===/apis/metrics.k8s.io/v1beta1===
nodes
pods

===/apis/networking.gke.io/v1beta1===
managedcertificates

===/apis/networking.k8s.io/v1===
networkpolicies

===/apis/policy/v1beta1===
poddisruptionbudgets
poddisruptionbudgets/status
podsecuritypolicies

===/apis/rbac.authorization.k8s.io/v1===
clusterrolebindings
clusterroles
rolebindings
roles

===/apis/rbac.authorization.k8s.io/v1beta1===
clusterrolebindings
clusterroles
rolebindings
roles

===/apis/scalingpolicy.kope.io/v1alpha1===
scalingpolicies

===/apis/scheduling.k8s.io/v1beta1===
priorityclasses

===/apis/storage.k8s.io/v1===
storageclasses
volumeattachments
volumeattachments/status

===/apis/storage.k8s.io/v1beta1===
storageclasses
volumeattachments

我也想做的-是要引起您的注意,即kubernetes不允许您默认获取此列表,并且这是设计使然。

请参阅Permission to "pods/*" should work

评论:

  

services / *不授予服务状态更新的权限。

     

如果您希望不受限制地访问所有资源,则可以   授予*

     

对所有当前和将来的子资源的访问不受限制   误导原因。不同的子资源用于   不同的目的。授权资源的所有子资源均假定   不会添加任何新的子资源来授予对远方的访问权限   更强大的功能。授予对pods / *的访问权限将允许   目前是对未来子资源的受限用户访问权限,即使   这些子资源远远超出了当前的能力   子资源。

     

* / scale格式可用于授予对子资源的访问权限   在所有资源上命名规模,对于诸如   自动缩放,需要访问特定的子资源。

相关问题
最新问题