Docker 为什么可以';我是否使用访问Pod资源和get谓词的服务帐户执行'kubectl get pods--as=api test-n default'?
我在默认命名空间中有以下Docker 为什么可以';我是否使用访问Pod资源和get谓词的服务帐户执行'kubectl get pods--as=api test-n default'?,docker,kubernetes,containers,Docker,Kubernetes,Containers,我在默认命名空间中有以下api测试服务帐户: $ kubectl get serviceaccount api-test -n default -o yaml apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: "2020-03-05T17:15:40Z" name: api-test namespace: default resourceVersion: "27599" selfLink: /ap
api测试服务帐户:
$ kubectl get serviceaccount api-test -n default -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2020-03-05T17:15:40Z"
name: api-test
namespace: default
resourceVersion: "27599"
selfLink: /api/v1/namespaces/default/serviceaccounts/api-test
uid: dd51ae9e-9729-4084-9e1e-b5421861b215
secrets:
- name: api-test-token-kz796
api测试
服务帐户通过以下角色绑定具有角色pod阅读器
:
$ kubectl get rolebinding api-test:pod-reader -n default -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"api-test:pod-reader","namespace":"default"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"pod-reader"},"subjects":[{"kind":"ServiceAccount","name":"api-test"}]}
creationTimestamp: "2020-03-17T11:03:36Z"
name: api-test:pod-reader
namespace: default
resourceVersion: "374396"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/api-test:pod-reader
uid: 5df0d84e-1d64-4750-9e3c-4026ec8193a4
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-reader
subjects:
- kind: ServiceAccount
name: api-test
pod阅读器
可以访问pod
资源和get
动词:
$ kubectl get role pod-reader -n default -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pod-reader","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get","watch","list"]}]}
creationTimestamp: "2020-03-17T10:47:39Z"
name: pod-reader
namespace: default
resourceVersion: "373233"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/roles/pod-reader
uid: 19463c6a-3e68-4127-9c0a-ca1f7749af24
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- list
但是,以下kubectl get pods…
命令在默认名称空间中失败,使用用户模拟--as=api test
:
$ kubectl get pods --as=api-test -n default -v6
I0317 12:52:34.116634 63031 loader.go:359] Config loaded from file: /Users/nlykkei/.kube/config
I0317 12:52:34.139588 63031 round_trippers.go:438] GET https://kubernetes.docker.internal:6443/api/v1/namespaces/default/pods?limit=500 403 Forbidden in 15 milliseconds
I0317 12:52:34.139857 63031 helpers.go:199] server response object: [{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "pods is forbidden: User \"api-test\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}]
F0317 12:52:34.139901 63031 helpers.go:114] Error from server (Forbidden): pods is forbidden: User "api-test" cannot list resource "pods" in API group "" in the namespace "default"
检查api测试的授权
表明它具有get
访问/api/*
:
$ kubectl auth can-i --list --as=api-test -n default
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
为什么不能使用我的api测试
服务帐户来检索默认名称空间中的POD信息
实际上,kubectl
输出的URL匹配通配符路径/api/*
:
$ kubectl auth can-i --list --as=api-test -n default
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
有什么想法吗?创建角色和角色绑定的命令
kubectl create role pod-reader --resource=pods --verb=get,list,watch --namespace=default
kubectl create rolebinding pod-reader-role-binding --role=pod-reader --serviceaccount=default:api-test -n default
检查权限的命令应为
kubectl auth can-i get pods -n default --as=system:serviceaccount:api-test:default
yes
访问资源
kubectl get pods --as=system:serviceaccount:default:api-test -n default
您应该使用--as=system:servicecomport:(名称空间):(servicecomport)
对API服务器进行身份验证
在您的示例中,这是--as=system:servicecomport:default:api test
有关详细信息,请参见Kubernetes文档:
服务帐户使用用户名进行身份验证
系统:serviceaccount:(命名空间):(serviceaccount)
,并已分配
到组系统:serviceaccounts
和
系统:serviceaccounts:(命名空间)
谢谢,如果我使用--as=system:serviceCount:api测试:默认值,我也会得到是的
。为什么需要系统:serviceaccount
前缀和默认值
post?它们记录在哪里?服务帐户的用户名(听起来有点奇怪)记录在案。@char-只有我记录在那里的前缀,后缀如何,例如:default
?不确定,通常系统:serviceaccount:api测试:default
指的是api测试命名空间中名为default的服务帐户。它是否只适用于:kubectl get pods--as=system:servicecomport:api test-n default
?那么可能只是忽略了参数的其余部分。@ArghyaSadhu-不应该--as=system:servicecomport:default:api test
be--as=system:servicecomport:api test:default
?