允许 Kubernetes 用户 list/get 命名空间
Allow Kubernetes user list/get namespaces
我有以下用户清单,我想允许 myapp-user 获取集群中所有命名空间的列表。根据我的查找,我应该创建一个 ClusterRole,但我真的找不到足够的细节。是否有所有 apiGroup 以及相应资源和动词的列表?
apiVersion: v1
kind: ServiceAccount
metadata:
name: myapp-user
namespace: myapp
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myapp-user-role
namespace: myapp
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources:
- ingress
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myapp-user
namespace: myapp
subjects:
- kind: ServiceAccount
name: myapp-suer
namespace: myapp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myapp-user-role
虽然将此添加到 role.rules 可能会有所帮助,但不幸的是没有
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["GET"]
您可以通过
获取 API 资源
kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolume
创建 clusterrole 和 clusterolebinding 的命令应该有效。
kubectl create clusterrole cr --verb=get,list --resource=namespaces
kubectl create clusterrolebinding crb --clusterrole=cr --serviceaccount=default:default
然后进行测试
kubectl auth can-i get ns --as=system:serviceaccount:default:default
kubectl auth can-i list ns --as=system:serviceaccount:default:default
您可以通过此命令列出集群支持的所有资源类型:
❯❯❯ kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolume
要查看这些资源支持的所有动作/动词,您需要查找与您相关的版本的 kubernetes 参考文档,例如对于 CronJobs
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#cronjob-v1beta1-batch
感谢@abhishek-jaisingh 和@arghya-sadhu 的回答,我能够弄明白并将命令重写为清单。
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: myapp-user-cr
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: myapp-user-crb
subjects:
- kind: ServiceAccount
name: myapp-user
roleRef:
kind: ClusterRole
name: myapp-user-cr
apiGroup: rbac.authorization.k8s.io
我有以下用户清单,我想允许 myapp-user 获取集群中所有命名空间的列表。根据我的查找,我应该创建一个 ClusterRole,但我真的找不到足够的细节。是否有所有 apiGroup 以及相应资源和动词的列表?
apiVersion: v1
kind: ServiceAccount
metadata:
name: myapp-user
namespace: myapp
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myapp-user-role
namespace: myapp
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources:
- ingress
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myapp-user
namespace: myapp
subjects:
- kind: ServiceAccount
name: myapp-suer
namespace: myapp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myapp-user-role
虽然将此添加到 role.rules 可能会有所帮助,但不幸的是没有
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["GET"]
您可以通过
获取 API 资源kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolume
创建 clusterrole 和 clusterolebinding 的命令应该有效。
kubectl create clusterrole cr --verb=get,list --resource=namespaces
kubectl create clusterrolebinding crb --clusterrole=cr --serviceaccount=default:default
然后进行测试
kubectl auth can-i get ns --as=system:serviceaccount:default:default
kubectl auth can-i list ns --as=system:serviceaccount:default:default
您可以通过此命令列出集群支持的所有资源类型:
❯❯❯ kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolume
要查看这些资源支持的所有动作/动词,您需要查找与您相关的版本的 kubernetes 参考文档,例如对于 CronJobs https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#cronjob-v1beta1-batch
感谢@abhishek-jaisingh 和@arghya-sadhu 的回答,我能够弄明白并将命令重写为清单。
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: myapp-user-cr
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: myapp-user-crb
subjects:
- kind: ServiceAccount
name: myapp-user
roleRef:
kind: ClusterRole
name: myapp-user-cr
apiGroup: rbac.authorization.k8s.io