如何使用 curl 使用 SelfSubjectRulesReview 查看资源权限
How to view resource permissions with SelfSubjectRulesReview using curl
在 Kubernetes 中,您可以使用 auth can-i 命令来检查您是否拥有某些资源的权限。
例如,我可以像在 worker 上那样使用这个命令:
kubectl --kubeconfig /etc/kubernetes/kubelet.conf auth can-i get pods -v 9
它将检查您是否有权查看 pods,并且当您添加 -v 标志时,它会显示详细输出:
...
curl -k -v -XPOST -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.18.0 (linux/amd64) kubernetes/9e99141" 'https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
我想将此 REST API 与 curl 一起使用,但它不起作用:
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H "Accept: application/json, */*" \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
"kind":"SelfSubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"namespace":"default"
},
"status":{
"allowed":true
}
}
EOF
如果失败并出现错误:
"status": "Failure",
"message": "SelfSubjectAccessReview in version \"v1\" cannot be handled as a SelfSubjectRulesReview: converting (v1.SelfSubjectAccessReview).v1.SelfSubjectAccessReviewSpec to (authorization.SelfSubjectRulesReview).authorization.SelfSubjectRulesReviewSpec: Namespace not present in src",
"reason": "BadRequest",
"code": 400
如何使用带有 curl 的 SelfSubjectRulesReview API 查看资源权限?
感谢@HelloWorld,我发现了问题,问题在于 selfsubjectaccessreviews 与 selfsubjectrulesreviews 之间的差异。我将放置 2 个工作 curl 示例。
1) selfsubjectaccessreviews 示例以查看该帐户是否具有
的权限
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H 'Accept: application/json, */*' \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews <<'EOF'
{
"kind":"SelfSubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"resourceAttributes":{
"namespace":"default",
"verb":"get",
"resource":"pods"
}
},
"status":{
}
}
EOF
2) selfsubjectrulesreviews 查看账户在默认命名空间上的所有权限的示例:
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H 'Accept: application/json, */*' \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
"kind":"SelfSubjectRulesReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"namespace":"default"
},
"status":{
}
}
EOF
请注意,kubectl verbose 在输出中显示此 url:
https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews
你正在urling:
https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews
你能看出区别吗? selfsubjectaccessreviews 与 selfsubjectrulesreviews.
将 url 更改为更正一个即可。
在 Kubernetes 中,您可以使用 auth can-i 命令来检查您是否拥有某些资源的权限。
例如,我可以像在 worker 上那样使用这个命令:
kubectl --kubeconfig /etc/kubernetes/kubelet.conf auth can-i get pods -v 9
它将检查您是否有权查看 pods,并且当您添加 -v 标志时,它会显示详细输出:
...
curl -k -v -XPOST -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.18.0 (linux/amd64) kubernetes/9e99141" 'https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
我想将此 REST API 与 curl 一起使用,但它不起作用:
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H "Accept: application/json, */*" \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
"kind":"SelfSubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"namespace":"default"
},
"status":{
"allowed":true
}
}
EOF
如果失败并出现错误:
"status": "Failure",
"message": "SelfSubjectAccessReview in version \"v1\" cannot be handled as a SelfSubjectRulesReview: converting (v1.SelfSubjectAccessReview).v1.SelfSubjectAccessReviewSpec to (authorization.SelfSubjectRulesReview).authorization.SelfSubjectRulesReviewSpec: Namespace not present in src",
"reason": "BadRequest",
"code": 400
如何使用带有 curl 的 SelfSubjectRulesReview API 查看资源权限?
感谢@HelloWorld,我发现了问题,问题在于 selfsubjectaccessreviews 与 selfsubjectrulesreviews 之间的差异。我将放置 2 个工作 curl 示例。
1) selfsubjectaccessreviews 示例以查看该帐户是否具有
的权限curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H 'Accept: application/json, */*' \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews <<'EOF'
{
"kind":"SelfSubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"resourceAttributes":{
"namespace":"default",
"verb":"get",
"resource":"pods"
}
},
"status":{
}
}
EOF
2) selfsubjectrulesreviews 查看账户在默认命名空间上的所有权限的示例:
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H 'Accept: application/json, */*' \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
"kind":"SelfSubjectRulesReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"namespace":"default"
},
"status":{
}
}
EOF
请注意,kubectl verbose 在输出中显示此 url:
https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews
你正在urling:
https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews
你能看出区别吗? selfsubjectaccessreviews 与 selfsubjectrulesreviews.
将 url 更改为更正一个即可。