Kubernetes RBAC "Allowed by RoleBinding" 但 "cannot list resource"
Kubernetes RBAC "Allowed by RoleBinding" but "cannot list resource"
我正在将一个应用程序部署到我的 Kubernetes 集群,它使用 Kubernetes API 列出集群中的 pods(不仅是其名称空间中的那些)。该应用程序将存在于它自己的命名空间中。
RBAC规则如下;
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kubecontrol-rbac-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: kubecontrol-rbac-role-binding
namespace: kubecontrol
subjects:
- kind: ServiceAccount
namespace: kubecontrol
name: default
roleRef:
kind: ClusterRole
name: kubecontrol-rbac-role
apiGroup: rbac.authorization.k8s.io
如您所见,我有一个 ClusterRole,它授予 "list"、"get" 和 "watch" 对 "pods" 资源的权限,以及一个应用此 ClusterRole 的 RoleBinding到命名空间的 default ServiceAccount。
当我使用 kubectl auth can-in 检查授权时,此配置 看起来 是正确的;
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods
yes
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods --v=8
...
I0326 23:17:05.125188 56505 request.go:947] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"kubecontrol","verb":"list","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"kubecontrol-rbac-role-binding/kubecontrol\" of ClusterRole \"kubecontrol-rbac-role\" to ServiceAccount \"default/kubecontrol\""}}
RBAC: allowed by RoleBinding "kubecontrol-rbac-role-binding/kubecontrol" of ClusterRole "kubecontrol-rbac-role" to ServiceAccount "default/kubecontrol"
然而,当我实际尝试执行该操作时,却被告知不允许这样做;
$ kubectl get pod --as=system:serviceaccount:kubecontrol:default --all-namespaces
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kubecontrol:default" cannot list resource "pods" in API group "" at the cluster scope
我在我的应用程序中看到了相同的错误消息。
用户 (system:serviceaccount:kubecontrol:default) 在两种情况下都是相同的,所以为什么我不能 list pods 即使根据 Kubernetes 本身我应该可以?有什么我想念的吗?
使用 --all-namespaces 可以在集群的所有命名空间中列出 pods。但是由于您只使用了 RoleBinding,因此您只拥有来自 ClusterRole 给定命名空间的权利(在您的例子中是命名空间 kubecontrol)。您必须使用 ClusterRoleBinding 来为整个集群提供 ClusterRole。
我正在将一个应用程序部署到我的 Kubernetes 集群,它使用 Kubernetes API 列出集群中的 pods(不仅是其名称空间中的那些)。该应用程序将存在于它自己的命名空间中。
RBAC规则如下;
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kubecontrol-rbac-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: kubecontrol-rbac-role-binding
namespace: kubecontrol
subjects:
- kind: ServiceAccount
namespace: kubecontrol
name: default
roleRef:
kind: ClusterRole
name: kubecontrol-rbac-role
apiGroup: rbac.authorization.k8s.io
如您所见,我有一个 ClusterRole,它授予 "list"、"get" 和 "watch" 对 "pods" 资源的权限,以及一个应用此 ClusterRole 的 RoleBinding到命名空间的 default ServiceAccount。
当我使用 kubectl auth can-in 检查授权时,此配置 看起来 是正确的;
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods
yes
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods --v=8
...
I0326 23:17:05.125188 56505 request.go:947] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"kubecontrol","verb":"list","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"kubecontrol-rbac-role-binding/kubecontrol\" of ClusterRole \"kubecontrol-rbac-role\" to ServiceAccount \"default/kubecontrol\""}}
RBAC: allowed by RoleBinding "kubecontrol-rbac-role-binding/kubecontrol" of ClusterRole "kubecontrol-rbac-role" to ServiceAccount "default/kubecontrol"
然而,当我实际尝试执行该操作时,却被告知不允许这样做;
$ kubectl get pod --as=system:serviceaccount:kubecontrol:default --all-namespaces
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kubecontrol:default" cannot list resource "pods" in API group "" at the cluster scope
我在我的应用程序中看到了相同的错误消息。
用户 (system:serviceaccount:kubecontrol:default) 在两种情况下都是相同的,所以为什么我不能 list pods 即使根据 Kubernetes 本身我应该可以?有什么我想念的吗?
使用 --all-namespaces 可以在集群的所有命名空间中列出 pods。但是由于您只使用了 RoleBinding,因此您只拥有来自 ClusterRole 给定命名空间的权利(在您的例子中是命名空间 kubecontrol)。您必须使用 ClusterRoleBinding 来为整个集群提供 ClusterRole。