我曾尝试创建一个只能访问视图pod的集群角色,但由于某种原因,该帐户仍然可以查看所有内容;机密、部署、节点等。我还启用了跳过登录,默认情况下匿名用户似乎也没有任何限制。
服务帐户:
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-example
namespace: default
集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cr-example
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
集群角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crb-example
roleRef:
apiGroup: rbac.authorization.k8s.io
name: cr-example
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: sa-example
namespace: default
上下文:
K8s version: 1.17.3
Dashboard version: v2.0.0-rc5
Cluster type: bare metal
authorization-mode=Node,RBAC
您是如何检查它是否有效的?
我用下面的yamls 复制了你的问题
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-example
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cr-example
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crb-example
roleRef:
apiGroup: rbac.authorization.k8s.io
name: cr-example
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: sa-example
namespace: default
我使用了kubectl auth can-I来验证它是否有效
kubectl auth can-i get pods --as=system:serviceaccount:default:sa-example
yes
kubectl auth can-i get deployment --as=system:serviceaccount:default:sa-example
no
kubectl auth can-i get secrets --as=system:serviceaccount:default:sa-example
no
kubectl auth can-i get nodes --as=system:serviceaccount:default:sa-example
no
看起来一切都很好
唯一不同的是
kind: ClusterRole
metadata:
name: cr-example instead of cr-<role>
所以它实际上匹配ClusterRoleBinding
我希望它能帮助你解决你的问题。如果你还有什么问题,请告诉我。