Rest K8s禁止授予额外特权的尝试
无法使用K8s REST API创建ClusterRole。我收到“禁止:尝试授予额外特权”错误。即使您可以使用“kubectl apply”创建相同的ClusterRole。使用相同的用户。在GCP中运行。版本:“1.11.6-gke.3” 以下是我的步骤: 1.IAM配置 IAM用户:柏辽兹-robot@xxx.iam.gserviceaccount.com 角色:Kubernetes引擎管理员 2.使用户成为管理员 使用kubectl应用:Rest K8s禁止授予额外特权的尝试,rest,kubernetes,rbac,Rest,Kubernetes,Rbac,无法使用K8s REST API创建ClusterRole。我收到“禁止:尝试授予额外特权”错误。即使您可以使用“kubectl apply”创建相同的ClusterRole。使用相同的用户。在GCP中运行。版本:“1.11.6-gke.3” 以下是我的步骤: 1.IAM配置 IAM用户:柏辽兹-robot@xxx.iam.gserviceaccount.com 角色:Kubernetes引擎管理员 2.使用户成为管理员 使用kubectl应用: apiVersion: rbac.authori
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: berlioz:robot-cluster-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: berlioz-robot@xxx.iam.gserviceaccount.com
3.生成登录令牌
标题:
{
"alg": "RS256",
"typ": "JWT",
"kid": "xxxxxxxxxxxxxxxxxxxxxxxxxx"
}
有效载荷:
{
"iss": "berlioz-robot@xxx.iam.gserviceaccount.com",
"sub": "berlioz-robot@xxx.iam.gserviceaccount.com",
"aud": "https://www.googleapis.com/oauth2/v4/token",
"scope": "https://www.googleapis.com/auth/cloud-platform",
"iat": 1548743213,
"exp": 1548746813
}
4.登录
结果:
{
"access_token": "ya29.xxxxxxxxxxxxxxxx",
"expires_in": 3600,
"token_type": "Bearer"
}
5.使用RESTAPI创建新的ClusterRole
结果:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "clusterroles.rbac.authorization.k8s.io \"berlioz:controller-cluster-role-test\" is forbidden: attempt to grant extra privileges: [{[get] [] [nodes] [] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []}] user=&{110887992956644566571 [system:authenticated] map[user-assertion.cloud.google.com:[xxxxx]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]",
"reason": "Forbidden",
"details": {
"name": "berlioz:controller-cluster-role-test",
"group": "rbac.authorization.k8s.io",
"kind": "clusterroles"
},
"code": 403
}
有趣的是,如果我将规则列表设置为空,事情就会过去。如上所述,使用kubectl成功创建了相同的群集角色。根据:
在GKE中,集成了云IAM和Kubernetes RBAC,以授权用户根据任一工具拥有足够的权限时执行操作。这是引导GKE集群的一个重要部分,因为默认情况下,GCP用户没有任何Kubernetes RBAC角色绑定
一旦用户或GCP服务帐户通过身份验证,他们还必须被授权在GKE集群上执行任何操作
在使用GKE v1.11.x及更早版本的GKE集群中,存在一个限制,即Cloud IAM无法授予创建Kubernetes的能力。但是,确实授予用户为任何用户(包括他们自己)创建Kubernetes RBAC的能力,该能力可用于将GCP用户绑定到
特别是,cluster admin
预定义的RBAC角色授予用户在集群中的完全权限。因此,要引导用户创建RBAC角色和ClusterRoles,请发出以下命令,用目标用户的GCP登录电子邮件地址替换[user_ACCOUNT]
注意:[用户帐户]区分大小写。为避免错误,请以小写字母输入目标用户的电子邮件地址
或者,您可以使用以下yaml:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: username@google-account-domain.com
创建此类ClusterRoleBinding后,您将能够创建ClusterRole
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "clusterroles.rbac.authorization.k8s.io \"berlioz:controller-cluster-role-test\" is forbidden: attempt to grant extra privileges: [{[get] [] [nodes] [] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []}] user=&{110887992956644566571 [system:authenticated] map[user-assertion.cloud.google.com:[xxxxx]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]",
"reason": "Forbidden",
"details": {
"name": "berlioz:controller-cluster-role-test",
"group": "rbac.authorization.k8s.io",
"kind": "clusterroles"
},
"code": 403
}
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user [USER_ACCOUNT]
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: username@google-account-domain.com