如何禁用shell或bash对容器中pod的访问?我不希望任何人通过kubectl exec或docker exec或k9s 进入吊舱
Kuectl是一个CLI工具,因此它连接K8sneneneba API服务器并进行身份验证。
您可以根据用户的角色来限制用户,因此使用具有适当权限的RBAC将解决您的问题。
参考编号:https://kubernetes.io/docs/reference/access-authn-authz/rbac/
示例:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: serviceaccount
namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: default-user-role
namespace: default
rules:
- apiGroups: [""]
resources:
- pods/attach
- pods/exec
verbs: [""]
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: default-user-view
namespace: default
subjects:
- kind: ServiceAccount
name: serviceaccount
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: default-user-role
使用检查身份验证
kubectl auth can-i --as=system:serviceaccount:default:serviceaccount exec pod