Kubernetes 服务帐户没有分配角色?
Kubernetes service account does not have assigned role?
我在 kubernetes 中有一个服务帐户:
apiVersion: v1
kind: ServiceAccount
metadata:
name: testsa
namespace: project-1
并且我已为其分配 view 角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: testsa-view
namespace: project-1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: testsa
namespace: project-1
这应该授予服务帐户对所有资源的读取权限。在 project-1 命名空间的 pod 中,我正在尝试 运行 以下 Python 代码:
>>> from kubernetes import client, config
>>> config.load_incluster_config()
>>> api = client.CoreV1Api()
>>> api.list_pod_for_all_namespaces()
但这失败并出现 403 错误:
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
[...]
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:project-1:testsa\" cannot list resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}
pod 与服务帐户相关联:
apiVersion: v1
kind: Pod
metadata:
labels:
run: testsa
name: testsa-2-l929g
namespace: project-1
spec:
serviceAccountName: testsa
automountServiceAccountToken: true
containers:
- image: larsks/testsa
imagePullPolicy: Always
name: testsa
ports:
- containerPort: 8080
protocol: TCP
resources: {}
在容器内部,我可以看到安装的秘密:
/src $ find /run/secrets/ -type f
/run/secrets/kubernetes.io/serviceaccount/..2020_09_04_16_30_26.292719465/ca.crt
/run/secrets/kubernetes.io/serviceaccount/..2020_09_04_16_30_26.292719465/token
/run/secrets/kubernetes.io/serviceaccount/..2020_09_04_16_30_26.292719465/service-ca.crt
/run/secrets/kubernetes.io/serviceaccount/..2020_09_04_16_30_26.292719465/namespace
/run/secrets/rhsm/ca/redhat-uep.pem
/run/secrets/rhsm/ca/redhat-entitlement-authority.pem
我在这里错过了什么?
错误显示 cannot list resource \"pods\" in API group \"\" at the cluster scope,因为您正在尝试访问集群中所有命名空间的所有 pods,而不是仅 project-1 命名空间的所有 pods。
因此将 Role 更改为 ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: testsa-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: testsa
namespace: project-1
引用示例 here RoleBinding 始终授予仅限于该特定命名空间的命名空间范围资源的权限,即使您在其中引用 ClusterRole。
您可以使用以下命令检查服务帐户的权限
kubectl auth can-i --list --as=system:serviceaccount:project-1:testsa
kubectl auth can-i --list --as=system:serviceaccount:project-1:testsa -n project-1
kubectl auth list pods --as=system:serviceaccount:project-1:testsa
kubectl auth list pods --as=system:serviceaccount:project-1:testsa -n project-1
我在 kubernetes 中有一个服务帐户:
apiVersion: v1
kind: ServiceAccount
metadata:
name: testsa
namespace: project-1
并且我已为其分配 view 角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: testsa-view
namespace: project-1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: testsa
namespace: project-1
这应该授予服务帐户对所有资源的读取权限。在 project-1 命名空间的 pod 中,我正在尝试 运行 以下 Python 代码:
>>> from kubernetes import client, config
>>> config.load_incluster_config()
>>> api = client.CoreV1Api()
>>> api.list_pod_for_all_namespaces()
但这失败并出现 403 错误:
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
[...]
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:project-1:testsa\" cannot list resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}
pod 与服务帐户相关联:
apiVersion: v1
kind: Pod
metadata:
labels:
run: testsa
name: testsa-2-l929g
namespace: project-1
spec:
serviceAccountName: testsa
automountServiceAccountToken: true
containers:
- image: larsks/testsa
imagePullPolicy: Always
name: testsa
ports:
- containerPort: 8080
protocol: TCP
resources: {}
在容器内部,我可以看到安装的秘密:
/src $ find /run/secrets/ -type f
/run/secrets/kubernetes.io/serviceaccount/..2020_09_04_16_30_26.292719465/ca.crt
/run/secrets/kubernetes.io/serviceaccount/..2020_09_04_16_30_26.292719465/token
/run/secrets/kubernetes.io/serviceaccount/..2020_09_04_16_30_26.292719465/service-ca.crt
/run/secrets/kubernetes.io/serviceaccount/..2020_09_04_16_30_26.292719465/namespace
/run/secrets/rhsm/ca/redhat-uep.pem
/run/secrets/rhsm/ca/redhat-entitlement-authority.pem
我在这里错过了什么?
错误显示 cannot list resource \"pods\" in API group \"\" at the cluster scope,因为您正在尝试访问集群中所有命名空间的所有 pods,而不是仅 project-1 命名空间的所有 pods。
因此将 Role 更改为 ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: testsa-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: testsa
namespace: project-1
引用示例 here RoleBinding 始终授予仅限于该特定命名空间的命名空间范围资源的权限,即使您在其中引用 ClusterRole。
您可以使用以下命令检查服务帐户的权限
kubectl auth can-i --list --as=system:serviceaccount:project-1:testsa
kubectl auth can-i --list --as=system:serviceaccount:project-1:testsa -n project-1
kubectl auth list pods --as=system:serviceaccount:project-1:testsa
kubectl auth list pods --as=system:serviceaccount:project-1:testsa -n project-1