如何使用 RBAC 阻止 exec 进入 pod

How to block exec into a pod using RBAC

我有一个 Kubernetes 集群,其中有一个用户可以安装、升级和删除 pods。 但是我想阻止他访问 exec 到 pod 中。

如何使用 RBAC 实现此目的?

权限是附加的。我不知道 Kubernetes RBAC 的阻止权限。

您需要为用户提供一个 ClusterRole 或一个 Role。

执行此操作的特定权限称为 pod/exec。所以请确保您没有将其包含在角色中。

这是一个没有 pod/exec 但对大多数资源(不包括机密)具有读取权限的 ClusterRole 示例。如果需要,您可以修改它以允许在 pods 等上创建

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-only-clusterrole
rules:
  - nonResourceURLs:
      - /metrics
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - bindings
      - componentstatuses
      - configmaps
      - endpoints
      - events
      - limitranges
      - namespaces
      - namespaces/finalize
      - namespaces/status
      - nodes
      - nodes/proxy
      - nodes/status
      - persistentvolumeclaims
      - persistentvolumeclaims/status
      - persistentvolumes
      - persistentvolumes/status
      - pods
      - pods/attach
      - pods/binding
      - pods/eviction
#      - pods/exec
      - pods/log
      - pods/proxy
      - pods/status
      - podtemplates
      - replicationcontrollers
      - replicationcontrollers/scale
      - replicationcontrollers/status
      - resourcequotas
      - resourcequotas/status
      - serviceaccounts
      - services
      - services/proxy
      - services/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources:
      - controllerrevisions
      - daemonsets
      - daemonsets/status
      - deployments
      - deployments/scale
      - deployments/status
      - replicasets
      - replicasets/scale
      - replicasets/status
      - statefulsets
      - statefulsets/scale
      - statefulsets/status
    verbs:
      - list
      - get
      - watch
  - apiGroups:
      - batch
    resources:
      - jobs
      - jobs/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
      - horizontalpodautoscalers/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - storage.k8s.io
    resources:
      - csidrivers
      - csinodes
      - storageclasses
      - volumeattachments
      - volumeattachments/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - scheduling.k8s.io
    resources:
      - priorityclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - node.k8s.io
    resources:
      - runtimeclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
      - ingresses/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - events.k8s.io
    resources:
      - events
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
      - customresourcedefinitions/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apiregistration.k8s.io
    resources:
      - apiservices
      - apiservices/status
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - metrics.k8s.io
    resources:
      - pods
      - nodes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
      - poddisruptionbudgets/status
      - podsecuritypolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - clusterrolebindings
      - clusterroles
      - rolebindings
      - roles
    verbs:
      - get
      - list
      - watch

任何看到这个并且仍然可以执行到 pod 的人,正如 OP 所说,可能是额外的 ClusterRoles 和 Roles 正在向用户或服务帐户添加权限。