Kubernetes 用户令牌是如何授权的？

Question

我有两个由 kops 设置的 kubernetes 集群。他们都是运行v1.10.8。我已尽力反映两者之间的配置。他们都启用了 RBAC。我在两者上都有 kubernetes-dashboard 运行。他们都有一个 /srv/kubernetes/known_tokens.csv 和一个 admin 和一个 kube 用户：

$ sudo cat /srv/kubernetes/known_tokens.csv ABCD,admin,admin,system:masters DEFG,kube,kube (... other users ...)

我的问题是这些用户如何在考虑到 RBAC 的情况下获得授权？当使用令牌对 kubernetes-dashboard 进行身份验证时，admin 用户的令牌在两个集群上都有效并且具有完全访问权限。但是 kube 用户的令牌只能访问其中一个集群。在一个集群上，我在仪表板中收到以下错误。

configmaps is forbidden: User "kube" cannot list configmaps in the namespace "default" persistentvolumeclaims is forbidden: User "kube" cannot list persistentvolumeclaims in the namespace "default" secrets is forbidden: User "kube" cannot list secrets in the namespace "default" services is forbidden: User "kube" cannot list services in the namespace "default" ingresses.extensions is forbidden: User "kube" cannot list ingresses.extensions in the namespace "default" daemonsets.apps is forbidden: User "kube" cannot list daemonsets.apps in the namespace "default" pods is forbidden: User "kube" cannot list pods in the namespace "default" events is forbidden: User "kube" cannot list events in the namespace "default" deployments.apps is forbidden: User "kube" cannot list deployments.apps in the namespace "default" replicasets.apps is forbidden: User "kube" cannot list replicasets.apps in the namespace "default" jobs.batch is forbidden: User "kube" cannot list jobs.batch in the namespace "default" cronjobs.batch is forbidden: User "kube" cannot list cronjobs.batch in the namespace "default" replicationcontrollers is forbidden: User "kube" cannot list replicationcontrollers in the namespace "default" statefulsets.apps is forbidden: User "kube" cannot list statefulsets.apps in the namespace "default"

根据 official docs、"Kubernetes does not have objects which represent normal user accounts"。

我在工作集群上找不到任何可以授权 kube 的地方。同样，我找不到任何会在另一个集群上限制 kube 的东西。我检查了 default 和 kube-system 命名空间中的所有 ClusterRoleBinding 资源。其中 None 引用了 kube 用户。那么，为什么访问仪表板会出现差异，我该如何调整？

其他一些问题：

• 如何调试此类授权问题？仪表板日志只是说该用户没有访问权限。有什么地方我可以看到特定请求或令牌映射到哪个 serviceAccount 吗？
• k8s中的groups是什么？ k8s docs mention groups a lot. Even the static token users can be assigned a group such as system:masters which looks like arole/clusterrolebut there is nosystem:mastersrole in my cluster? What exactly aregroups`? As per Create user group using RBAC API?，似乎组只是可以为每个用户定义的任意标签。他们有什么意义？我可以将组映射到 RBAC serviceAccount 吗？

更新

我重新启动了工作集群，但它不再工作了。我收到与工作集群相同的授权错误。看起来这是某种缓存访问。很抱歉这个虚假的问题。我仍然对我的后续问题感到好奇，但它们可以变成单独的问题。

Answer 1

如果不访问集群很难判断，但我的猜测是你有一个 Role 和一个 RoleBinding 某处供集群上的 kube 用户使用。不是 ClusterRole 和 ClusterRoleBinding。

像这样：

kind: Role
metadata:
  name: my-role
  namespace: default
rules:
- apiGroups: [""]
  Resources: ["services", "endpoints", "pods"]
  verbs: ["get", "list", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: kube-role-binding
  namespace: default
subjects:
- kind: User
  name: "kube"
  apiGroup: ""
roleRef:
  kind: Role
  name: my-role
  apiGroup: ""

How do I debug authorization issues such as this? The dashboard logs just say this user doesn't have access. Is there somewhere I can see which serviceAccount a particular request or token is mapped to?

您可以在您的 leader master 上查看 /var/log/kube-apiserver.log 下的 kube-apiserver 日志。或者如果它是 运行 在容器 docker logs <container-id-of-kube-apiserver>

中