这是一个简单的 Kubernetes 角色:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: temp-role
namespace: stackoverflow
rules:
- apiGroups: [""]
resources:
- pods
verbs:
- get
这个角色让我可以说kubectl get pod foobar,我可以得到吊舱。
但是,我现在无法获取 pod 日志:
Error from server (Forbidden): pods "foobar" is forbidden: User "system:serviceaccount:kube-system:myuser" cannot get resource "pods/log" in API group "" in the namespace "stackoverflow"
所以错误告诉我有一个单独的子资源pods/log,我需要在我的资源中明确提及。
有趣的kubectl auth can-i是对我撒谎:
$ kubectl -n stackoverflow auth can-i get pods/log
yes
好的,让我们解决这个问题并直接提及子资源:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: temp-role
namespace: stackoverflow
rules:
- apiGroups: [""]
resources:
- pods
- pods/log
verbs:
- get
现在我可以正确检索日志了!
事情是,我正在尝试创建一个ClusterRole对某些特定资源(特别是editClusterRole 的子集)具有读/写访问权限的对象,并且我希望我可以通过使用kubectl api-resources和允许从那里进行的所有操作来完成它,除了我不做的少数事情”不想允许。
但是像pods/log这样的子资源没有出现在列表中,所以这种方法不起作用 - 我会阻止访问我打算公开的一些东西,但我什至不知道到底是什么。我只是pods/log在尝试之后才知道它并发现它不起作用。
所以我正在寻找一种方法:
rules.resources(我尝试过,pods/*但似乎没有做任何事情)rules.resources单独将它们全部列入白名单。想法?
答案的灵感来自[Bash] [Kubernetes] Script to List All Available Resource/Sub-resource Name for RBAC Configuration文章。
2个脚本,都对我有用:
_list=($(kubectl get --raw / |grep "^ \"/api"|sed 's/[",]//g'));
for _api in ${_list[@]}; do
_aruyo=$(kubectl get --raw ${_api} | jq .resources);
if [ "x${_aruyo}" != "xnull" ]; then
echo;
echo "===${_api}===";
kubectl get --raw ${_api} | jq -r ".resources[].name";
fi;
done
或者
_list=($(kubectl get --raw / |grep "^ \"/api"|sed 's/[",]//g')); for _api in ${_list[@]}; do _aruyo=$(kubectl get --raw ${_api} | jq .resources); if [ "x${_aruyo}" != "xnull" ]; then echo; echo "===${_api}==="; kubectl get --raw ${_api} | jq -r ".resources[].name"; fi; done
结果:
===/api/v1===
bindings
componentstatuses
configmaps
endpoints
events
limitranges
namespaces
namespaces/finalize
namespaces/status
nodes
nodes/proxy
nodes/status
persistentvolumeclaims
persistentvolumeclaims/status
persistentvolumes
persistentvolumes/status
pods
pods/attach
pods/binding
pods/eviction
pods/exec
pods/log
pods/portforward
pods/proxy
pods/status
podtemplates
replicationcontrollers
replicationcontrollers/scale
replicationcontrollers/status
resourcequotas
resourcequotas/status
secrets
serviceaccounts
serviceaccounts/token
services
services/proxy
services/status
===/apis/admissionregistration.k8s.io/v1beta1===
mutatingwebhookconfigurations
validatingwebhookconfigurations
===/apis/apiextensions.k8s.io/v1beta1===
customresourcedefinitions
customresourcedefinitions/status
===/apis/apiregistration.k8s.io/v1===
apiservices
apiservices/status
===/apis/apiregistration.k8s.io/v1beta1===
apiservices
apiservices/status
===/apis/apps/v1===
controllerrevisions
daemonsets
daemonsets/status
deployments
deployments/scale
deployments/status
replicasets
replicasets/scale
replicasets/status
statefulsets
statefulsets/scale
statefulsets/status
===/apis/apps/v1beta1===
controllerrevisions
deployments
deployments/rollback
deployments/scale
deployments/status
statefulsets
statefulsets/scale
statefulsets/status
===/apis/apps/v1beta2===
controllerrevisions
daemonsets
daemonsets/status
deployments
deployments/scale
deployments/status
replicasets
replicasets/scale
replicasets/status
statefulsets
statefulsets/scale
statefulsets/status
===/apis/authentication.k8s.io/v1===
tokenreviews
===/apis/authentication.k8s.io/v1beta1===
tokenreviews
===/apis/authorization.k8s.io/v1===
localsubjectaccessreviews
selfsubjectaccessreviews
selfsubjectrulesreviews
subjectaccessreviews
===/apis/authorization.k8s.io/v1beta1===
localsubjectaccessreviews
selfsubjectaccessreviews
selfsubjectrulesreviews
subjectaccessreviews
===/apis/autoscaling/v1===
horizontalpodautoscalers
horizontalpodautoscalers/status
===/apis/autoscaling/v2beta1===
horizontalpodautoscalers
horizontalpodautoscalers/status
===/apis/batch/v1===
jobs
jobs/status
===/apis/batch/v1beta1===
cronjobs
cronjobs/status
===/apis/certificates.k8s.io/v1beta1===
certificatesigningrequests
certificatesigningrequests/approval
certificatesigningrequests/status
===/apis/cloud.google.com/v1beta1===
backendconfigs
===/apis/coordination.k8s.io/v1beta1===
leases
===/apis/extensions/v1beta1===
daemonsets
daemonsets/status
deployments
deployments/rollback
deployments/scale
deployments/status
ingresses
ingresses/status
networkpolicies
podsecuritypolicies
replicasets
replicasets/scale
replicasets/status
replicationcontrollers
replicationcontrollers/scale
===/apis/metrics.k8s.io/v1beta1===
nodes
pods
===/apis/networking.gke.io/v1beta1===
managedcertificates
===/apis/networking.k8s.io/v1===
networkpolicies
===/apis/policy/v1beta1===
poddisruptionbudgets
poddisruptionbudgets/status
podsecuritypolicies
===/apis/rbac.authorization.k8s.io/v1===
clusterrolebindings
clusterroles
rolebindings
roles
===/apis/rbac.authorization.k8s.io/v1beta1===
clusterrolebindings
clusterroles
rolebindings
roles
===/apis/scalingpolicy.kope.io/v1alpha1===
scalingpolicies
===/apis/scheduling.k8s.io/v1beta1===
priorityclasses
===/apis/storage.k8s.io/v1===
storageclasses
volumeattachments
volumeattachments/status
===/apis/storage.k8s.io/v1beta1===
storageclasses
volumeattachments
我还想做的 - 是请注意 kubernetes 不允许您获得此列表 ny 默认值,这是预期的和设计的。
评论:
services/* 不授予服务状态更新的权限。
如果您想授予对所有资源的无限制访问权限,您可以使用 *
不受限制地访问所有当前和未来的子资源会误导推理。不同的子资源用于不同的目的。授权资源的所有子资源假定永远不会添加新的子资源来授予对更强大功能的访问权限。授予对 pods/* 的访问权限将允许当前受限用户访问未来的子资源,即使这些子资源远远超出当前子资源的能力。
格式 */scale 可用于授予对所有资源上名为 scale 的子资源的访问权限,对于需要访问特定子资源的自动缩放等操作非常有用。
| 归档时间: |
|
| 查看次数: |
2546 次 |
| 最近记录: |