kubernetes system:discovery 角色机制
kubernetes system:discovery role mechanism
我想了解 system:discovery 角色在 kubernetes.I 中是如何工作的 我能够看到下面的非资源 url 是 system:discovery 角色中包含的特权
root@kubemas:~# kubectl describe clusterrole system:discovery
Name: system:discovery
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version] [] [get]
根据集群角色绑定描述,
root@kubemas:~# kubectl describe clusterrolebindings.rbac.authorization.k8s.io system:discovery
Name: system:discovery
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: system:discovery
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:authenticated
我可以看到只有system:authenticated组可以访问非资源url's.If我执行下面的命令,我可以理解,请求用户是system:anonymous哪个属于 system:unathenticated 组,因此不允许查看输出
root@kubemas:~# curl -k https://192.168.56.101:6443/api
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/api\"",
"reason": "Forbidden",
"details": {
},
"code": 403
但我期望从下面的请求中得到同样的结果,我正在尝试获取也是非资源的 kubernetes 版本 url.But 我可以在没有 error.So 的情况下获得版本输出这是怎么回事working.Is我是不是对这个机制有误解?
root@kubemas:~# curl -k https://192.168.56.101:6443/version
{
"major": "1",
"minor": "18",
"gitVersion": "v1.18.3",
"gitCommit": "2e7996e3e2712684bc73f0dec0200d64eec7fe40",
"gitTreeState": "clean",
"buildDate": "2020-05-20T12:43:34Z",
"goVersion": "go1.13.9",
"compiler": "gc",
"platform": "linux/amd64"
}root@kubemas:~#
system:public-info-viewer 是可以访问 /version 的集群角色。此 clusterole 绑定到 system:authenticated 和 system:unauthenticated 组。由于它绑定到 system:unauthenticated 组,您可以访问它。
来自docs
This clusterole Allows read-only access to non-sensitive information
about the cluster. Introduced in Kubernetes v1.14.
kubectl describe clusterrole system:public-info-viewer
Name: system:public-info-viewer
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
[/healthz] [] [get]
[/livez] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version] [] [get]
我想了解 system:discovery 角色在 kubernetes.I 中是如何工作的 我能够看到下面的非资源 url 是 system:discovery 角色中包含的特权
root@kubemas:~# kubectl describe clusterrole system:discovery
Name: system:discovery
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version] [] [get]
根据集群角色绑定描述,
root@kubemas:~# kubectl describe clusterrolebindings.rbac.authorization.k8s.io system:discovery
Name: system:discovery
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: system:discovery
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:authenticated
我可以看到只有system:authenticated组可以访问非资源url's.If我执行下面的命令,我可以理解,请求用户是system:anonymous哪个属于 system:unathenticated 组,因此不允许查看输出
root@kubemas:~# curl -k https://192.168.56.101:6443/api
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/api\"",
"reason": "Forbidden",
"details": {
},
"code": 403
但我期望从下面的请求中得到同样的结果,我正在尝试获取也是非资源的 kubernetes 版本 url.But 我可以在没有 error.So 的情况下获得版本输出这是怎么回事working.Is我是不是对这个机制有误解?
root@kubemas:~# curl -k https://192.168.56.101:6443/version
{
"major": "1",
"minor": "18",
"gitVersion": "v1.18.3",
"gitCommit": "2e7996e3e2712684bc73f0dec0200d64eec7fe40",
"gitTreeState": "clean",
"buildDate": "2020-05-20T12:43:34Z",
"goVersion": "go1.13.9",
"compiler": "gc",
"platform": "linux/amd64"
}root@kubemas:~#
system:public-info-viewer 是可以访问 /version 的集群角色。此 clusterole 绑定到 system:authenticated 和 system:unauthenticated 组。由于它绑定到 system:unauthenticated 组,您可以访问它。
来自docs
This clusterole Allows read-only access to non-sensitive information about the cluster. Introduced in Kubernetes v1.14.
kubectl describe clusterrole system:public-info-viewer
Name: system:public-info-viewer
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
[/healthz] [] [get]
[/livez] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version] [] [get]