对非管理员的选择性 kubernetes 命名空间的限制
Restrictions on selective kubernetes namespaces for non admins
我已经为命名空间上的所有服务帐户(包括命名空间本身)设置了删除限制(使用验证 webhook),作为集群管理员,我是否可以从该命名空间中删除对象?
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
namespaces := {"test01"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,operation])
}
或者,有没有办法让集群管理员处于异常状态。
更新:
我想出了要执行的用户名,但此策略虽然在策略检查器中正确评估但没有状态:configmap 状态中的正常:
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
username := input.request.userInfo.username
namespaces := {"test01","kube-system"}
users := {"kubernetes-admin","admin"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
not users[username]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}
更新:
一段时间后政策状态为Ok。
如果用户名正确,此政策有效。
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
username := input.request.userInfo.username
namespaces := {"test01","kube-system"}
users := {"kubernetes-admin","admin"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
not users[username]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}
您可以直接从 etcd 服务器删除对象。假设作为集群管理员,您可以访问 etcd 服务器。
例如:
$ kubectl get po
NAME READY STATUS RESTARTS AGE
curler-755cc7cfff-xdt6m 1/1 Running 0 21h
nginx-6db489d4b7-qvmgn 1/1 Running 0 21h
我想删除 pod nginx-6db489d4b7-qvmgn
$ kubectl get po -n kube-system | grep etcd
etcd-v1-16-master 1/1 Running 4 10d
$ kubectl exec -it etcd-v1-16-master -n kube-system sh
$ ETCDCTL_API=3 etcdctl --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt del /registry/pods/default/nginx-6db489d4b7-qvmgn
1
现在,如果我再检查一遍:
$ kubectl get po
NAME READY STATUS RESTARTS AGE
curler-755cc7cfff-xdt6m 1/1 Running 0 21h
nginx-6db489d4b7-n8p8d 1/1 Running 0 35s
我已经为命名空间上的所有服务帐户(包括命名空间本身)设置了删除限制(使用验证 webhook),作为集群管理员,我是否可以从该命名空间中删除对象?
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
namespaces := {"test01"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,operation])
}
或者,有没有办法让集群管理员处于异常状态。
更新:
我想出了要执行的用户名,但此策略虽然在策略检查器中正确评估但没有状态:configmap 状态中的正常:
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
username := input.request.userInfo.username
namespaces := {"test01","kube-system"}
users := {"kubernetes-admin","admin"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
not users[username]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}
更新:
一段时间后政策状态为Ok。
如果用户名正确,此政策有效。
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
username := input.request.userInfo.username
namespaces := {"test01","kube-system"}
users := {"kubernetes-admin","admin"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
not users[username]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}
您可以直接从 etcd 服务器删除对象。假设作为集群管理员,您可以访问 etcd 服务器。
例如:
$ kubectl get po
NAME READY STATUS RESTARTS AGE
curler-755cc7cfff-xdt6m 1/1 Running 0 21h
nginx-6db489d4b7-qvmgn 1/1 Running 0 21h
我想删除 pod nginx-6db489d4b7-qvmgn
$ kubectl get po -n kube-system | grep etcd
etcd-v1-16-master 1/1 Running 4 10d
$ kubectl exec -it etcd-v1-16-master -n kube-system sh
$ ETCDCTL_API=3 etcdctl --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt del /registry/pods/default/nginx-6db489d4b7-qvmgn
1
现在,如果我再检查一遍:
$ kubectl get po
NAME READY STATUS RESTARTS AGE
curler-755cc7cfff-xdt6m 1/1 Running 0 21h
nginx-6db489d4b7-n8p8d 1/1 Running 0 35s