Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/kubernetes/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Docker 为什么可以';我是否使用访问Pod资源和get谓词的服务帐户执行'kubectl get pods--as=api test-n default'?_Docker_Kubernetes_Containers - Fatal编程技术网

Docker 为什么可以';我是否使用访问Pod资源和get谓词的服务帐户执行'kubectl get pods--as=api test-n default'?

Docker 为什么可以';我是否使用访问Pod资源和get谓词的服务帐户执行'kubectl get pods--as=api test-n default'?,docker,kubernetes,containers,Docker,Kubernetes,Containers,我在默认命名空间中有以下api测试服务帐户: $ kubectl get serviceaccount api-test -n default -o yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: "2020-03-05T17:15:40Z" name: api-test namespace: default resourceVersion: "27599" selfLink: /ap

我在默认命名空间中有以下
api测试
服务帐户:

$ kubectl get serviceaccount api-test -n default -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2020-03-05T17:15:40Z"
  name: api-test
  namespace: default
  resourceVersion: "27599"
  selfLink: /api/v1/namespaces/default/serviceaccounts/api-test
  uid: dd51ae9e-9729-4084-9e1e-b5421861b215
secrets:
- name: api-test-token-kz796
api测试
服务帐户通过以下角色绑定具有角色
pod阅读器

$ kubectl get rolebinding api-test:pod-reader -n default -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"api-test:pod-reader","namespace":"default"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"pod-reader"},"subjects":[{"kind":"ServiceAccount","name":"api-test"}]}
  creationTimestamp: "2020-03-17T11:03:36Z"
  name: api-test:pod-reader
  namespace: default
  resourceVersion: "374396"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/api-test:pod-reader
  uid: 5df0d84e-1d64-4750-9e3c-4026ec8193a4
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader
subjects:
- kind: ServiceAccount
  name: api-test
pod阅读器
可以访问
pod
资源和
get
动词:

$ kubectl get role pod-reader -n default -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pod-reader","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get","watch","list"]}]}
  creationTimestamp: "2020-03-17T10:47:39Z"
  name: pod-reader
  namespace: default
  resourceVersion: "373233"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/roles/pod-reader
  uid: 19463c6a-3e68-4127-9c0a-ca1f7749af24
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - watch
  - list
但是,以下
kubectl get pods…
命令在默认名称空间中失败,使用用户模拟
--as=api test

$ kubectl get pods --as=api-test -n default -v6
I0317 12:52:34.116634   63031 loader.go:359] Config loaded from file:  /Users/nlykkei/.kube/config
I0317 12:52:34.139588   63031 round_trippers.go:438] GET https://kubernetes.docker.internal:6443/api/v1/namespaces/default/pods?limit=500 403 Forbidden in 15 milliseconds
I0317 12:52:34.139857   63031 helpers.go:199] server response object: [{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "pods is forbidden: User \"api-test\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\"",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}]
F0317 12:52:34.139901   63031 helpers.go:114] Error from server (Forbidden): pods is forbidden: User "api-test" cannot list resource "pods" in API group "" in the namespace "default"
检查
api测试的授权
表明它具有
get
访问
/api/*

$ kubectl auth can-i --list --as=api-test -n default
Resources                                       Non-Resource URLs   Resource Names   Verbs
selfsubjectaccessreviews.authorization.k8s.io   []                  []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                  []               [create]
                                                [/api/*]            []               [get]
                                                [/api]              []               [get]
                                                [/apis/*]           []               [get]
                                                [/apis]             []               [get]
                                                [/healthz]          []               [get]
                                                [/healthz]          []               [get]
                                                [/openapi/*]        []               [get]
                                                [/openapi]          []               [get]
                                                [/version/]         []               [get]
                                                [/version/]         []               [get]
                                                [/version]          []               [get]
                                                [/version]          []               [get]
为什么不能使用我的
api测试
服务帐户来检索默认名称空间中的POD信息

实际上,
kubectl
输出的URL匹配通配符路径
/api/*

$ kubectl auth can-i --list --as=api-test -n default
Resources                                       Non-Resource URLs   Resource Names   Verbs
selfsubjectaccessreviews.authorization.k8s.io   []                  []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                  []               [create]
                                                [/api/*]            []               [get]
                                                [/api]              []               [get]
                                                [/apis/*]           []               [get]
                                                [/apis]             []               [get]
                                                [/healthz]          []               [get]
                                                [/healthz]          []               [get]
                                                [/openapi/*]        []               [get]
                                                [/openapi]          []               [get]
                                                [/version/]         []               [get]
                                                [/version/]         []               [get]
                                                [/version]          []               [get]
                                                [/version]          []               [get]


有什么想法吗?

创建角色和角色绑定的命令

kubectl create role pod-reader --resource=pods --verb=get,list,watch --namespace=default 

kubectl create rolebinding pod-reader-role-binding --role=pod-reader --serviceaccount=default:api-test -n default
检查权限的命令应为

kubectl auth can-i get pods -n default --as=system:serviceaccount:api-test:default

yes
访问资源

kubectl get pods --as=system:serviceaccount:default:api-test -n default
您应该使用
--as=system:servicecomport:(名称空间):(servicecomport)
对API服务器进行身份验证

在您的示例中,这是
--as=system:servicecomport:default:api test

有关详细信息,请参见Kubernetes文档:

服务帐户使用用户名进行身份验证
系统:serviceaccount:(命名空间):(serviceaccount)
,并已分配 到组
系统:serviceaccounts
系统:serviceaccounts:(命名空间)


谢谢,如果我使用
--as=system:serviceCount:api测试:默认值,我也会得到
是的
。为什么需要
系统:serviceaccount
前缀和
默认值
post?它们记录在哪里?服务帐户的用户名(听起来有点奇怪)记录在案。@char-只有我记录在那里的前缀,后缀如何,例如
:default
?不确定,通常
系统:serviceaccount:api测试:default
指的是api测试命名空间中名为default的服务帐户。它是否只适用于:
kubectl get pods--as=system:servicecomport:api test-n default
?那么可能只是忽略了参数的其余部分。@ArghyaSadhu-不应该
--as=system:servicecomport:default:api test
be
--as=system:servicecomport:api test:default