如何允许 Kubernetes 中特定部署的端口转发?
How can I allow port-forwarding for a specific deployment in Kubernetes?
我正在尝试允许我组织中的一些用户将端口转发到我们在 Kubernetes 中的生产命名空间。但是,我不希望他们能够将端口转发到所有服务。我只想限制对某些服务的访问。这可能吗?
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: allow-port-forward-for-deployment-a
rules:
- apiGroups: [""]
resources: ["pods/portforward"]
verbs: ["get", "list", "create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: allow-port-forward-for-deployment-a
namespace: production
subjects:
- kind: User
name: "xyz@org.com"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: allow-port-forward-for-deployment-a
apiGroup: rbac.authorization.k8s.io
以上设置允许所有服务,但我不想这样。
我相信你做不到。 According to the docs
Resources can also be referred to by name for certain requests through
the resourceNames list. When specified, requests can be restricted to
individual instances of a resource. To restrict a subject to only
“get” and “update” a single configmap, you would write:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: configmap-updater
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["my-configmap"]
verbs: ["update", "get"]
Note that create requests
cannot be restricted by resourceName, as the object name is not known
at authorization time. The other exception is deletecollection.
既然您想授予用户创建转发端口的权限,我认为您做不到。
假设用户已经可以访问您的 kubernetes 集群和相关 namespace。他们可以简单地 port-forward 本地端口到 pod (资源)端口。
你怎么做到的?
kubectl port-forward <POD_NAME> <LOCAL_PORT>:<POD_PORT>
引用文档 - kubectl port-forward 允许使用资源名称,例如 pod 名称,select 匹配 pod 到 port forward 到 Kubernetes v1.10.
Refer this article if you wish, this nicely explains when you would need RBAC vs kubectl port-forward
RBAC 仅在您希望 person 或 group of people 仅用于 port-forward 用于 [=10= 中相关 namespace 中的任何服务时才有用]集群。
这些规则对我有用
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: port-forward
rules:
- apiGroups: [""]
resources: ["pods/portforward"]
verbs: ["get", "create"]
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list"]
我正在尝试允许我组织中的一些用户将端口转发到我们在 Kubernetes 中的生产命名空间。但是,我不希望他们能够将端口转发到所有服务。我只想限制对某些服务的访问。这可能吗?
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: allow-port-forward-for-deployment-a
rules:
- apiGroups: [""]
resources: ["pods/portforward"]
verbs: ["get", "list", "create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: allow-port-forward-for-deployment-a
namespace: production
subjects:
- kind: User
name: "xyz@org.com"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: allow-port-forward-for-deployment-a
apiGroup: rbac.authorization.k8s.io
以上设置允许所有服务,但我不想这样。
我相信你做不到。 According to the docs
Resources can also be referred to by name for certain requests through the
resourceNameslist. When specified, requests can be restricted to individual instances of a resource. To restrict a subject to only “get” and “update” a single configmap, you would write:apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: configmap-updater rules: - apiGroups: [""] resources: ["configmaps"] resourceNames: ["my-configmap"] verbs: ["update", "get"]Note that create requests cannot be restricted by resourceName, as the object name is not known at authorization time. The other exception is deletecollection.
既然您想授予用户创建转发端口的权限,我认为您做不到。
假设用户已经可以访问您的 kubernetes 集群和相关 namespace。他们可以简单地 port-forward 本地端口到 pod (资源)端口。
你怎么做到的?
kubectl port-forward <POD_NAME> <LOCAL_PORT>:<POD_PORT>
引用文档 - kubectl port-forward 允许使用资源名称,例如 pod 名称,select 匹配 pod 到 port forward 到 Kubernetes v1.10.
Refer this article if you wish, this nicely explains when you would need RBAC vs kubectl port-forward
RBAC 仅在您希望 person 或 group of people 仅用于 port-forward 用于 [=10= 中相关 namespace 中的任何服务时才有用]集群。
这些规则对我有用
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: port-forward
rules:
- apiGroups: [""]
resources: ["pods/portforward"]
verbs: ["get", "create"]
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list"]