在定义ServiceAccount 时,您告诉 Kubernetes 您要授予访问权限的 apiGroups、资源和动词。
apiVersion: v1
kind: ServiceAccount
...
kind: Role
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec", "persistentvolumeclaims", "services"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete", "deletecollection"]
在哪里可以找到完整的选项列表?
Runinngkubectl api-resources -o wide提供了其中的许多,但不会返回像pods/exec或 之类的子资源pods/log。
Simply execute:
kubectl api-resources --verbs=list --namespaced -o name \
| xargs -n 1 kubectl get --show-kind --ignore-not-found -l <label>=<value> -n <namespace>
The xargs command in UNIX is a command line utility for building an execution pipeline from standard input. Whilst tools like grep can accept standard input as a parameter, many other tools cannot. Using xargs allows tools like echo and rm and mkdir to accept standard input as arguments.
To fetch the logs, use the kubectl logs command, as follows:
kubectl logs your-pod-name -n namespace-name
Sub-resources and verbs that you need to define RBAC roles are not documented anywhere in a static list. They are available in the discovery documentation, i.e. via the API, e.g. /api/apps/v1.
The following bash script will list all the resources, sub-resources and verbs in the following format:
api_version resource: [verb]
where api-version is core for the core resources and should be replaced by "" (an empty quoted string) in your role definition.
For example, core pods/status: get patch update.
The script requires [jq][1].
#!/bin/bash
SERVER="localhost:8080"
APIS=$(curl -s $SERVER/apis | jq -r '[.groups | .[].name] | join(" ")')
# do core resources first, which are at a separate api location
api="core"
curl -s $SERVER/api/v1 | jq -r --arg api "$api" '.resources | .[] | "\($api) \(.name): \(.verbs | join(" "))"'
# now do non-core resources
for api in $APIS; do
version=$(curl -s $SERVER/apis/$api | jq -r '.preferredVersion.version')
curl -s $SERVER/apis/$api/$version | jq -r --arg api "$api" '.resources | .[]? | "\($api) \(.name): \(.verbs | join(" "))"'
done
Note that where no verbs are listed via the api, the output will just show the api version and the resource, e.g.
core pods/exec:
In the specific instance of the following resources unfortunately no verbs are shown via the api.
nodes/proxy
pods/attach
pods/exec
pods/portforward
pods/proxy
services/proxy
The supported verbs for these resources are as follows:
nodes/proxy: create delete get patch update
pods/attach: create get
pods/exec: create get
pods/portforward: create get
pods/proxy: create delete get patch update
services/proxy: create delete get patch update
Documentation about logging: kubernetes-logging.
More information you can find here: api-resources.
Useful blog: kubectl-cheat-sheet.
| 归档时间: |
|
| 查看次数: |
739 次 |
| 最近记录: |