这是一个简单的Kubernetes角色:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: temp-role
namespace: stackoverflow
rules:
- apiGroups: [""]
resources:
- pods
verbs:
- get
这个角色允许我说kubectl get pod foobar
,我可以得到豆荚。
但是,我现在无法获得豆荚日志:
Error from server (Forbidden): pods "foobar" is forbidden: User "system:serviceaccount:kube-system:myuser" cannot get resource "pods/log" in API group "" in the namespace "stackoverflow"
因此该错误告诉我有一个单独的子资源pods/log
,需要在资源中明确提及。
有趣的是kubectl auth can-i
对我说谎:
$ kubectl -n stackoverflow auth can-i get pods/log
yes
好的,我们先解决这个问题,然后直接从子资源中提取收益:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: temp-role
namespace: stackoverflow
rules:
- apiGroups: [""]
resources:
- pods
- pods/log
verbs:
- get
现在我可以正确检索日志了!
事实是,我正在尝试创建一个对某些特定资源(特别是ClusterRole
ClusterRole的子集)具有读/写访问权限的edit
,我希望我可以通过使用kubectl api-resources
并允许从那里进行所有操作,但我不想允许的一些操作除外。
但是像pods/log
这样的子资源没有出现在列表中,所以这种方法行不通-我阻止访问我打算公开的某些内容,但我什至不知道确切的含义。在尝试过pods/log
之后,我才了解到它,但是发现它不起作用。
所以我正在寻找一种方法:
rules.resources
中提及一个包含所有子资源的资源(我尝试过pods/*
,但似乎没有任何作用)rules.resources
中列入白名单。有想法吗?
答案 0 :(得分:1)
答案是受[Bash] [Kubernetes] Script to List All Available Resource/Sub-resource Name for RBAC Configuration文章的启发。
2个脚本,都对我有用:
_list=($(kubectl get --raw / |grep "^ \"/api"|sed 's/[",]//g'));
for _api in ${_list[@]}; do
_aruyo=$(kubectl get --raw ${_api} | jq .resources);
if [ "x${_aruyo}" != "xnull" ]; then
echo;
echo "===${_api}===";
kubectl get --raw ${_api} | jq -r ".resources[].name";
fi;
done
或
_list=($(kubectl get --raw / |grep "^ \"/api"|sed 's/[",]//g')); for _api in ${_list[@]}; do _aruyo=$(kubectl get --raw ${_api} | jq .resources); if [ "x${_aruyo}" != "xnull" ]; then echo; echo "===${_api}==="; kubectl get --raw ${_api} | jq -r ".resources[].name"; fi; done
结果:
===/api/v1===
bindings
componentstatuses
configmaps
endpoints
events
limitranges
namespaces
namespaces/finalize
namespaces/status
nodes
nodes/proxy
nodes/status
persistentvolumeclaims
persistentvolumeclaims/status
persistentvolumes
persistentvolumes/status
pods
pods/attach
pods/binding
pods/eviction
pods/exec
pods/log
pods/portforward
pods/proxy
pods/status
podtemplates
replicationcontrollers
replicationcontrollers/scale
replicationcontrollers/status
resourcequotas
resourcequotas/status
secrets
serviceaccounts
serviceaccounts/token
services
services/proxy
services/status
===/apis/admissionregistration.k8s.io/v1beta1===
mutatingwebhookconfigurations
validatingwebhookconfigurations
===/apis/apiextensions.k8s.io/v1beta1===
customresourcedefinitions
customresourcedefinitions/status
===/apis/apiregistration.k8s.io/v1===
apiservices
apiservices/status
===/apis/apiregistration.k8s.io/v1beta1===
apiservices
apiservices/status
===/apis/apps/v1===
controllerrevisions
daemonsets
daemonsets/status
deployments
deployments/scale
deployments/status
replicasets
replicasets/scale
replicasets/status
statefulsets
statefulsets/scale
statefulsets/status
===/apis/apps/v1beta1===
controllerrevisions
deployments
deployments/rollback
deployments/scale
deployments/status
statefulsets
statefulsets/scale
statefulsets/status
===/apis/apps/v1beta2===
controllerrevisions
daemonsets
daemonsets/status
deployments
deployments/scale
deployments/status
replicasets
replicasets/scale
replicasets/status
statefulsets
statefulsets/scale
statefulsets/status
===/apis/authentication.k8s.io/v1===
tokenreviews
===/apis/authentication.k8s.io/v1beta1===
tokenreviews
===/apis/authorization.k8s.io/v1===
localsubjectaccessreviews
selfsubjectaccessreviews
selfsubjectrulesreviews
subjectaccessreviews
===/apis/authorization.k8s.io/v1beta1===
localsubjectaccessreviews
selfsubjectaccessreviews
selfsubjectrulesreviews
subjectaccessreviews
===/apis/autoscaling/v1===
horizontalpodautoscalers
horizontalpodautoscalers/status
===/apis/autoscaling/v2beta1===
horizontalpodautoscalers
horizontalpodautoscalers/status
===/apis/batch/v1===
jobs
jobs/status
===/apis/batch/v1beta1===
cronjobs
cronjobs/status
===/apis/certificates.k8s.io/v1beta1===
certificatesigningrequests
certificatesigningrequests/approval
certificatesigningrequests/status
===/apis/cloud.google.com/v1beta1===
backendconfigs
===/apis/coordination.k8s.io/v1beta1===
leases
===/apis/extensions/v1beta1===
daemonsets
daemonsets/status
deployments
deployments/rollback
deployments/scale
deployments/status
ingresses
ingresses/status
networkpolicies
podsecuritypolicies
replicasets
replicasets/scale
replicasets/status
replicationcontrollers
replicationcontrollers/scale
===/apis/metrics.k8s.io/v1beta1===
nodes
pods
===/apis/networking.gke.io/v1beta1===
managedcertificates
===/apis/networking.k8s.io/v1===
networkpolicies
===/apis/policy/v1beta1===
poddisruptionbudgets
poddisruptionbudgets/status
podsecuritypolicies
===/apis/rbac.authorization.k8s.io/v1===
clusterrolebindings
clusterroles
rolebindings
roles
===/apis/rbac.authorization.k8s.io/v1beta1===
clusterrolebindings
clusterroles
rolebindings
roles
===/apis/scalingpolicy.kope.io/v1alpha1===
scalingpolicies
===/apis/scheduling.k8s.io/v1beta1===
priorityclasses
===/apis/storage.k8s.io/v1===
storageclasses
volumeattachments
volumeattachments/status
===/apis/storage.k8s.io/v1beta1===
storageclasses
volumeattachments
我也想做的-是要引起您的注意,即kubernetes不允许您默认获取此列表,并且这是设计使然。
请参阅Permission to "pods/*" should work
评论:
services / *不授予服务状态更新的权限。
如果您希望不受限制地访问所有资源,则可以 授予*
对所有当前和将来的子资源的访问不受限制 误导原因。不同的子资源用于 不同的目的。授权资源的所有子资源均假定 不会添加任何新的子资源来授予对远方的访问权限 更强大的功能。授予对pods / *的访问权限将允许 目前是对未来子资源的受限用户访问权限,即使 这些子资源远远超出了当前的能力 子资源。
* / scale格式可用于授予对子资源的访问权限 在所有资源上命名规模,对于诸如 自动缩放,需要访问特定的子资源。