您如何设置 kubernetes RBAC 资源,以便 pods 可以通过客户端访问 API?
How do you set up kubernetes RBAC resources so that pods can access the API via a client?
问题
我有一个简单的 RBAC 配置来访问集群内的 Kubernetes API。但是,我从 kubectl 得到的信息似乎相互矛盾。部署清单后,RBAC 似乎已正确设置。
$ kubectl exec -ti pod/controller -- kubectl auth can-i get namespaces
Warning: resource 'namespaces' is not namespace scoped
yes
但是,实际发出请求会产生权限错误
$ kubectl exec -ti pod/controller -- kubectl get namespaces
Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:default:controller" cannot list resource "namespaces" in API group "" at the cluster scope
command terminated with exit code 1
清单
apiVersion: 'v1'
kind: 'ServiceAccount'
metadata:
name: 'controller'
---
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'Role'
metadata:
name: 'read-namespaces'
rules:
- apiGroups:
- ''
resources:
- 'namespaces'
verbs:
- 'get'
- 'watch'
- 'list'
---
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'RoleBinding'
metadata:
name: 'read-namespaces'
roleRef:
apiGroup: ''
kind: 'Role'
name: 'read-namespaces'
subjects:
- kind: 'ServiceAccount'
name: 'controller'
---
apiVersion: 'v1'
kind: 'Pod'
metadata:
name: 'controller'
labels:
'app': 'controller'
spec:
containers:
- name: 'kubectl'
image: 'bitnami/kubectl:latest'
imagePullPolicy: 'Always'
command:
- 'sleep'
- '3600'
serviceAccountName: 'controller'
---
其他信息
我试过 kubectl auth reconcile -f manifest.yaml 和 kubectl apply -f manifest.yaml,结果是一样的。
我还将 "read-namespaces" RoleBinding.subjects[0].namespace 设置为正确的命名空间(在本例中为 "default")。输出没有变化。
角色是每个命名空间,您需要使用 ClusterRoleBinding
创建集群角色和绑定
如果你想将你的集群角色绑定到特定的命名空间,你可以这样做,在 ClusterRole 上使用 RoleBinding:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa
namespace: myapp
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-myapp
rules:
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job001
namespace: myapp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: role-myapp
subjects:
- kind: ServiceAccount
name: sa
namespace: myapp
命名空间是集群范围内的资源。所以你需要一个 ClusterRole 和一个 ClusterRoleBinding.
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'ClusterRole'
metadata:
name: 'read-namespaces'
rules:
- apiGroups:
- ''
resources:
- 'namespaces'
verbs:
- 'get'
- 'watch'
- 'list'
---
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'ClusterRoleBinding'
metadata:
name: 'read-namespaces'
roleRef:
apiGroup: 'rbac.authorization.k8s.io'
kind: 'ClusterRole'
name: 'read-namespaces'
subjects:
- kind: 'ServiceAccount'
name: 'controller'
---
问题
我有一个简单的 RBAC 配置来访问集群内的 Kubernetes API。但是,我从 kubectl 得到的信息似乎相互矛盾。部署清单后,RBAC 似乎已正确设置。
$ kubectl exec -ti pod/controller -- kubectl auth can-i get namespaces
Warning: resource 'namespaces' is not namespace scoped
yes
但是,实际发出请求会产生权限错误
$ kubectl exec -ti pod/controller -- kubectl get namespaces
Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:default:controller" cannot list resource "namespaces" in API group "" at the cluster scope
command terminated with exit code 1
清单
apiVersion: 'v1'
kind: 'ServiceAccount'
metadata:
name: 'controller'
---
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'Role'
metadata:
name: 'read-namespaces'
rules:
- apiGroups:
- ''
resources:
- 'namespaces'
verbs:
- 'get'
- 'watch'
- 'list'
---
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'RoleBinding'
metadata:
name: 'read-namespaces'
roleRef:
apiGroup: ''
kind: 'Role'
name: 'read-namespaces'
subjects:
- kind: 'ServiceAccount'
name: 'controller'
---
apiVersion: 'v1'
kind: 'Pod'
metadata:
name: 'controller'
labels:
'app': 'controller'
spec:
containers:
- name: 'kubectl'
image: 'bitnami/kubectl:latest'
imagePullPolicy: 'Always'
command:
- 'sleep'
- '3600'
serviceAccountName: 'controller'
---
其他信息
我试过 kubectl auth reconcile -f manifest.yaml 和 kubectl apply -f manifest.yaml,结果是一样的。
我还将 "read-namespaces" RoleBinding.subjects[0].namespace 设置为正确的命名空间(在本例中为 "default")。输出没有变化。
角色是每个命名空间,您需要使用 ClusterRoleBinding
如果你想将你的集群角色绑定到特定的命名空间,你可以这样做,在 ClusterRole 上使用 RoleBinding:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa
namespace: myapp
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-myapp
rules:
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job001
namespace: myapp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: role-myapp
subjects:
- kind: ServiceAccount
name: sa
namespace: myapp
命名空间是集群范围内的资源。所以你需要一个 ClusterRole 和一个 ClusterRoleBinding.
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'ClusterRole'
metadata:
name: 'read-namespaces'
rules:
- apiGroups:
- ''
resources:
- 'namespaces'
verbs:
- 'get'
- 'watch'
- 'list'
---
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'ClusterRoleBinding'
metadata:
name: 'read-namespaces'
roleRef:
apiGroup: 'rbac.authorization.k8s.io'
kind: 'ClusterRole'
name: 'read-namespaces'
subjects:
- kind: 'ServiceAccount'
name: 'controller'
---