最终更新:显然,在关闭与集群的连接后重新定义curl
命令中定义的变量时,它们出现了某种问题,命令开始工作。
设置很简单,在学习环境中。我创建了ServiceAccount
、Role
&Rolebinding
试图查询pod或服务,我得到:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "services is forbidden: User "system:serviceaccount:default:myscript" cannot list resource "services" in API group "" in the namespace "default"",
"reason": "Forbidden",
"details": {
"kind": "services"
},
"code": 403
我不知道我在哪里失败了。原来我只有get
、list
和delete
三个动词。但即使在使用通配符"*"后,仍不断表示禁用。
以下是来自集群的一些信息:
查询命令:curl -X GET $SERVER/api/v1/namespaces/default/services --header "Authorization: Bearer $MYSCRIPT_TOKEN" --cacert /etc/kubernetes/pki/ca.crt
ubuntu@master:~/$ kubectl describe sa myscript
Name: myscript
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: myscript-token
Events: <none>
ubuntu@master:~/$ kubectl get role script-role
NAME CREATED AT
script-role 2022-09-04T10:44:22Z
ubuntu@master:~/$ kubectl get rolebinding script-rb -o wide
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS
script-rb Role/script-role 57m default/myscript
ubuntu@master:~/$ kubectl describe role script-role
Name: script-role
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [*]
services [] [] [*]
deployments.apps [] [] [get list delete]
更新:
很少有CCD_ 9命令证明RBAC应该是好的。
ubuntu@master:~$ kubectl auth can-i get services --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i list services --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i delete services --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i delete deploy --as system:serviceaccount:default:myscript
yes
ubuntu@master:~$ kubectl auth can-i update deploy --as system:serviceaccount:default:myscript
no
ServiceAccount
清单。
ubuntu@master:~$ kubectl get sa myscript -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2022-09-04T10:35:47Z"
name: myscript
namespace: default
resourceVersion: "675592"
uid: ab3b3c20-e3b9-405a-a9e9-e4f65ac13f5c
Role
清单
ubuntu@master:~$ kubectl get role script-role -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"script-role","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["pods","services"],"verbs":["get","list","delete"]},{"apiGroups":["apps"],"resources":["deployments"],"verbs":["get","list","delete"]}]}
creationTimestamp: "2022-09-04T10:44:22Z"
name: script-role
namespace: default
resourceVersion: "681508"
uid: a1b03864-081e-4d0a-bf54-9c69f6f6c17e
rules:
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- delete
RoleBinding
清单
ubuntu@master:~$ kubectl get rolebinding script-rb -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"script-rb","namespace":"default"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"script-role"},"subjects":[{"kind":"ServiceAccount","name":"myscript","namespace":"default"}]}
creationTimestamp: "2022-09-04T10:46:05Z"
name: script-rb
namespace: default
resourceVersion: "676627"
uid: dbdcef8f-6a30-4cd3-8152-2626c2284c83
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: script-role
subjects:
- kind: ServiceAccount
name: myscript
namespace: default
2个问题:
- 您可以共享
Role
、RoleBinding
和ServiceAccount
的清单吗 - 你能验证你的
Role
&使用kubectl auth can-i
命令使用ServiceAccount的RoleBinding
// kubectl auth can-i <verb> <resource> -n <namespace> --as system:service:<namespace>:<service-account-name>
kubectl auth can-i get service --as system:serviceaccount:default:myscript