这里有一个简单的 Kubernetes 角色:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: temp-role
namespace: stackoverflow
rules:
- apiGroups: [""]
resources:
- pods
verbs:
- get
这个角色允许我说kubectl get pod foobar,我可以得到豆荚。
但是,我现在无法获取 pod 日志:
Error from server (Forbidden): pods "foobar" is forbidden: User "system:serviceaccount:kube-system:myuser" cannot get resource "pods/log" in API group "" in the namespace "stackoverflow"
因此,该错误告诉我,需要在我的资源中明确提及一个单独的子资源pods/log。
有趣的是kubectl auth can-i对我撒谎:
$ kubectl -n stackoverflow auth can-i get pods/log
yes
好的,让我们解决这个问题并直接对子资源进行维护:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: temp-role
namespace: stackoverflow
rules:
- apiGroups: [""]
resources:
- pods
- pods/log
verbs:
- get
现在我可以正确检索日志了!
那么问题出在哪里
问题是,我正在尝试创建一个对某些特定资源(特别是editClusterRole的子集(具有读/写访问权限的ClusterRole,我希望我可以通过使用kubectl api-resources并允许那里的所有内容来完成它,除了我不想允许的少数事情。
但是像pods/log这样的子资源不会出现在列表中,所以这种方法不起作用 - 我会阻止访问我打算公开的一些内容,但我什至不知道到底是什么。我只是在尝试并注意到它不起作用后才了解pods/log。
所以我正在寻找一种方法来:
- 在
rules.resources中提到一个包含所有子资源的资源(我尝试了pods/*但它似乎没有做任何事情( - 如果上述方法无法实现:获取所有资源和子资源的列表,以便我可以将它们分别列入
rules.resources白名单。
思潮?
答案的灵感来自 [Bash] [Kubernetes] 脚本,用于列出 RBAC 配置的所有可用资源/子资源名称文章。
2 个脚本,都对我有用:
_list=($(kubectl get --raw / |grep "^ "/api"|sed 's/[",]//g'));
for _api in ${_list[@]}; do
_aruyo=$(kubectl get --raw ${_api} | jq .resources);
if [ "x${_aruyo}" != "xnull" ]; then
echo;
echo "===${_api}===";
kubectl get --raw ${_api} | jq -r ".resources[].name";
fi;
done
或
_list=($(kubectl get --raw / |grep "^ "/api"|sed 's/[",]//g')); for _api in ${_list[@]}; do _aruyo=$(kubectl get --raw ${_api} | jq .resources); if [ "x${_aruyo}" != "xnull" ]; then echo; echo "===${_api}==="; kubectl get --raw ${_api} | jq -r ".resources[].name"; fi; done
结果:
===/api/v1===
bindings
componentstatuses
configmaps
endpoints
events
limitranges
namespaces
namespaces/finalize
namespaces/status
nodes
nodes/proxy
nodes/status
persistentvolumeclaims
persistentvolumeclaims/status
persistentvolumes
persistentvolumes/status
pods
pods/attach
pods/binding
pods/eviction
pods/exec
pods/log
pods/portforward
pods/proxy
pods/status
podtemplates
replicationcontrollers
replicationcontrollers/scale
replicationcontrollers/status
resourcequotas
resourcequotas/status
secrets
serviceaccounts
serviceaccounts/token
services
services/proxy
services/status
===/apis/admissionregistration.k8s.io/v1beta1===
mutatingwebhookconfigurations
validatingwebhookconfigurations
===/apis/apiextensions.k8s.io/v1beta1===
customresourcedefinitions
customresourcedefinitions/status
===/apis/apiregistration.k8s.io/v1===
apiservices
apiservices/status
===/apis/apiregistration.k8s.io/v1beta1===
apiservices
apiservices/status
===/apis/apps/v1===
controllerrevisions
daemonsets
daemonsets/status
deployments
deployments/scale
deployments/status
replicasets
replicasets/scale
replicasets/status
statefulsets
statefulsets/scale
statefulsets/status
===/apis/apps/v1beta1===
controllerrevisions
deployments
deployments/rollback
deployments/scale
deployments/status
statefulsets
statefulsets/scale
statefulsets/status
===/apis/apps/v1beta2===
controllerrevisions
daemonsets
daemonsets/status
deployments
deployments/scale
deployments/status
replicasets
replicasets/scale
replicasets/status
statefulsets
statefulsets/scale
statefulsets/status
===/apis/authentication.k8s.io/v1===
tokenreviews
===/apis/authentication.k8s.io/v1beta1===
tokenreviews
===/apis/authorization.k8s.io/v1===
localsubjectaccessreviews
selfsubjectaccessreviews
selfsubjectrulesreviews
subjectaccessreviews
===/apis/authorization.k8s.io/v1beta1===
localsubjectaccessreviews
selfsubjectaccessreviews
selfsubjectrulesreviews
subjectaccessreviews
===/apis/autoscaling/v1===
horizontalpodautoscalers
horizontalpodautoscalers/status
===/apis/autoscaling/v2beta1===
horizontalpodautoscalers
horizontalpodautoscalers/status
===/apis/batch/v1===
jobs
jobs/status
===/apis/batch/v1beta1===
cronjobs
cronjobs/status
===/apis/certificates.k8s.io/v1beta1===
certificatesigningrequests
certificatesigningrequests/approval
certificatesigningrequests/status
===/apis/cloud.google.com/v1beta1===
backendconfigs
===/apis/coordination.k8s.io/v1beta1===
leases
===/apis/extensions/v1beta1===
daemonsets
daemonsets/status
deployments
deployments/rollback
deployments/scale
deployments/status
ingresses
ingresses/status
networkpolicies
podsecuritypolicies
replicasets
replicasets/scale
replicasets/status
replicationcontrollers
replicationcontrollers/scale
===/apis/metrics.k8s.io/v1beta1===
nodes
pods
===/apis/networking.gke.io/v1beta1===
managedcertificates
===/apis/networking.k8s.io/v1===
networkpolicies
===/apis/policy/v1beta1===
poddisruptionbudgets
poddisruptionbudgets/status
podsecuritypolicies
===/apis/rbac.authorization.k8s.io/v1===
clusterrolebindings
clusterroles
rolebindings
roles
===/apis/rbac.authorization.k8s.io/v1beta1===
clusterrolebindings
clusterroles
rolebindings
roles
===/apis/scalingpolicy.kope.io/v1alpha1===
scalingpolicies
===/apis/scheduling.k8s.io/v1beta1===
priorityclasses
===/apis/storage.k8s.io/v1===
storageclasses
volumeattachments
volumeattachments/status
===/apis/storage.k8s.io/v1beta1===
storageclasses
volumeattachments
我还想做的是 - 注意 kubernetes 不允许你获得这个列表 ny 默认值,这是预期的和设计使然。
请参阅对"pods/*"的权限应该可以工作
评论:
服务/* 不授予对服务状态更新的权限。
如果要授予对所有资源的无限制访问权限,可以 授予 *
对所有当前和未来子资源的无限制访问是 误导理性。不同的子资源用于 不同的目的。授权资源的所有子资源假定 不会添加任何新的子资源来授予对 FAR 的访问权限 更强大的功能。授予对 pod/* 的访问权限将允许什么 当前是受限制的用户对未来子资源的访问,即使 这些子资源远远超出了当前的能力 子资源。
格式 */scale 可用于授予对子资源的访问权限 在所有资源上命名缩放,对于以下情况很有用: 需要访问特定子资源的自动缩放。