GKE Kubernetes RBAC 将默认角色绑定到我的有限自定义
GKE Kubernetes RBAC bind default role to my limited custom
我正在使用 G
我想创建一个只能访问特定命名空间的自定义用户,我使用了这个 yaml:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: develop-user
namespace: develop
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: develop-user-full-access
namespace: develop
rules:
- apiGroups: rbac.authorization.k8s.io
resources:
- services
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: develop-user-view
namespace: develop
subjects:
- kind: ServiceAccount
name: develop-user
namespace: develop
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: develop-user-full-access
因此,在我将上下文切换到这个新服务帐户并发现我仍然可以访问所有内容之后,我获得了一个证书并添加到我的 kube 配置中:(
为什么会发生以及如何解决?
我的 kubeconfig(粘贴复制:https://pastebin.com/s5Nd6Dnn):
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: %certificate-data%
server: https://animeheaven.nyah
name: anime-cluster-develop
contexts:
- context:
cluster: anime-cluster-develop
namespace: develop
user: develop-user
name: anime-develop
current-context: anime-develop
kind: Config
preferences: {}
users:
- name: develop-user
user:
client-key-data: %certdata%
token: %tokenkey%
这里有一篇关于如何设置它的好文章:https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html。
总的来说,你的配置没问题,我把- apiGroups: rbac.authorization.k8s.io这一行改成了:
- apiGroups: ["", "extensions", "apps"]
然后,应用以下步骤:
- 创建
develop 命名空间
$ kubectl create namespace develop
- 根据您的配置创建 RBAC。
$ kubectl apply -f rbac.yaml
- 读取集群 IP、令牌和 CA 证书。
$ kubectl cluster-info
$ kubectl get secret develop-user-token-2wsnb -o jsonpath={.data.token} -n develop | base64 --decode
$ kubectl get secret develop-user-token-2wsnb -o "jsonpath={.data['ca\.crt']}" -n develop
- 填写
~/.kube/config 文件(如 linked guide 中所述)
- 将上下文更改为
develop
- 用户只能访问
develop 命名空间中的检查服务。
$ kubectl get service my-service -n mynamespace
Error from server (Forbidden): services "my-service" is forbidden: User "system:serviceaccount:develop:develop-user" cannot get services in the namespace "mynamespace"
$ kubectl get service my-service -n develop
hError from server (NotFound): services "my-service" not found
https://medium.com/uptime-99/making-sense-of-kubernetes-rbac-and-iam-roles-on-gke-914131b01922
https://medium.com/@ManagedKube/kubernetes-rbac-port-forward-4c7eb3951e28
这两篇文章终于帮到我了!由于这些愚蠢的事情,我几乎感到沮丧,感谢 uptime-99 和 ManagedKube 我做到了!耶!
关键是在gcloud中创建kubernetes-viewer用户,然后为他创建角色
这里有一个提示!
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: develop
name: allow-developer-port-forward
rules:
- apiGroups: [""]
resources: ["pods", "pods/portforward"]
verbs: ["get", "list", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: anime-developer-port-access
namespace: develop
subjects:
- kind: User
name: ANIMEDEVERLOP@gmail.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-developer-port-forward
apiGroup: ""
然后
kubectly apply -f accessconfig.yaml
就是这样!
祝你有美好的一天!
我正在使用 G 我想创建一个只能访问特定命名空间的自定义用户,我使用了这个 yaml:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: develop-user
namespace: develop
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: develop-user-full-access
namespace: develop
rules:
- apiGroups: rbac.authorization.k8s.io
resources:
- services
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: develop-user-view
namespace: develop
subjects:
- kind: ServiceAccount
name: develop-user
namespace: develop
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: develop-user-full-access
因此,在我将上下文切换到这个新服务帐户并发现我仍然可以访问所有内容之后,我获得了一个证书并添加到我的 kube 配置中:(
为什么会发生以及如何解决?
我的 kubeconfig(粘贴复制:https://pastebin.com/s5Nd6Dnn):
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: %certificate-data%
server: https://animeheaven.nyah
name: anime-cluster-develop
contexts:
- context:
cluster: anime-cluster-develop
namespace: develop
user: develop-user
name: anime-develop
current-context: anime-develop
kind: Config
preferences: {}
users:
- name: develop-user
user:
client-key-data: %certdata%
token: %tokenkey%
这里有一篇关于如何设置它的好文章:https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html。
总的来说,你的配置没问题,我把- apiGroups: rbac.authorization.k8s.io这一行改成了:
- apiGroups: ["", "extensions", "apps"]
然后,应用以下步骤:
- 创建
develop命名空间
$ kubectl create namespace develop
- 根据您的配置创建 RBAC。
$ kubectl apply -f rbac.yaml
- 读取集群 IP、令牌和 CA 证书。
$ kubectl cluster-info
$ kubectl get secret develop-user-token-2wsnb -o jsonpath={.data.token} -n develop | base64 --decode
$ kubectl get secret develop-user-token-2wsnb -o "jsonpath={.data['ca\.crt']}" -n develop
- 填写
~/.kube/config文件(如 linked guide 中所述) - 将上下文更改为
develop - 用户只能访问
develop命名空间中的检查服务。
$ kubectl get service my-service -n mynamespace
Error from server (Forbidden): services "my-service" is forbidden: User "system:serviceaccount:develop:develop-user" cannot get services in the namespace "mynamespace"
$ kubectl get service my-service -n develop
hError from server (NotFound): services "my-service" not found
https://medium.com/uptime-99/making-sense-of-kubernetes-rbac-and-iam-roles-on-gke-914131b01922
https://medium.com/@ManagedKube/kubernetes-rbac-port-forward-4c7eb3951e28
这两篇文章终于帮到我了!由于这些愚蠢的事情,我几乎感到沮丧,感谢 uptime-99 和 ManagedKube 我做到了!耶!
关键是在gcloud中创建kubernetes-viewer用户,然后为他创建角色 这里有一个提示!
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: develop
name: allow-developer-port-forward
rules:
- apiGroups: [""]
resources: ["pods", "pods/portforward"]
verbs: ["get", "list", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: anime-developer-port-access
namespace: develop
subjects:
- kind: User
name: ANIMEDEVERLOP@gmail.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-developer-port-forward
apiGroup: ""
然后
kubectly apply -f accessconfig.yaml
就是这样!
祝你有美好的一天!