listing/creation 的 PV 使用 kubernetes RBAC 失败
listing/creation of PV failing using kubernetes RBAC
我有一个服务帐户可以访问其中一个应用命名空间。我已经创建了一个集群角色和角色绑定,并将其映射到该命名空间中的关联服务帐户。
除了集群级别的 PV listing/creation 之外,一切都按预期工作。可以帮忙吗
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dxf-clusterrole
rules:
-
apiGroups:
- ""
- apps
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- roles.rbac.authorization.k8s.io
- authorization.k8s.io
resources:
- secrets
- configmaps
- deployments
- endpoints
- horizontalpodautoscalers
- jobs
- limitranges
- namespaces
- nodes
- pods
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- role
- rolebindings
verbs:
- get
- watch
- list
- create
- delete
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: dxf-clusterrolebinding
namespace: dxf-uat
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dxf-clusterrole
subjects:
- kind: ServiceAccount
name: dxf-deployer
namespace: dxf-uat
用户“system:serviceaccount:dxf-uat:dxf-deployer”无法在集群范围API组“”中获取资源“persistentvolumes”
有四个 Kubernetes 对象:Role, ClusterRole, RoleBinding and ClusterRoleBinding,我们可以使用它们来配置所需的 RBAC 规则。 Role 和 RoleBinding 是命名空间的,ClusterRole 和 ClusterRoleBinding 是集群范围的资源。
如您在 RoleBinding and ClusterRoleBinding documentation 中所见:
A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.
您的问题出在所有集群范围的资源上,例如 PersistentVolumes、Nodes、Namespaces 等:
$ kubectl get nodes --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "nodes" in API group "" at the cluster scope
$ kubectl get persistentvolumes -n dxf-uat --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): persistentvolumes is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "persistentvolumes" in API group "" at the cluster scope
$ kubectl get namespaces --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "namespaces" in API group "" at the cluster scope
您需要创建一个 ClusterRole,其中包含您希望从 dxf-deployer ServiceAccount 访问的所有集群范围的资源,然后将此 ClusterRole 绑定到 dxf-deployer ServiceAccount 使用 ClusterRoleBinding.
在下面的示例中,我已将 dxf-deployer ServiceAccount 的权限授予 Nodes 和 PersistentVolumes:
$ cat cluster-scope-permissions.yml
# cluster-scope-permissions.yml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-scope-role
rules:
- apiGroups:
- ""
resources:
- nodes
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-scope-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-scope-role
subjects:
- kind: ServiceAccount
name: dxf-deployer
namespace: dxf-uat
最后,我们可以检查它是否按预期工作:
$ kubectl apply -f cluster-scope-permissions.yml
clusterrole.rbac.authorization.k8s.io/cluster-scope-role created
clusterrolebinding.rbac.authorization.k8s.io/cluster-scope-rolebinding created
$ kubectl get nodes --as=system:serviceaccount:dxf-uat:dxf-deployer
NAME STATUS ROLES AGE VERSION
node1 Ready <none> 5h11m v1.18.12-gke.1210
node2 Ready <none> 5h11m v1.18.12-gke.1210
$ kubectl get persistentvolumes -n dxf-uat --as=system:serviceaccount:dxf-uat:dxf-deployer
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-0ba2fd12-c883-45b8-b52d-a6c826a2775a 8Gi RWO Delete Bound default/my-jenkins standard 131m
pvc-b4b7a4c8-c9ad-4e83-b1ee-663b3e4d938b 10Gi RWO Delete Bound default/debug-pvc standard 5h12m
我有一个服务帐户可以访问其中一个应用命名空间。我已经创建了一个集群角色和角色绑定,并将其映射到该命名空间中的关联服务帐户。 除了集群级别的 PV listing/creation 之外,一切都按预期工作。可以帮忙吗
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dxf-clusterrole
rules:
-
apiGroups:
- ""
- apps
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- roles.rbac.authorization.k8s.io
- authorization.k8s.io
resources:
- secrets
- configmaps
- deployments
- endpoints
- horizontalpodautoscalers
- jobs
- limitranges
- namespaces
- nodes
- pods
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- role
- rolebindings
verbs:
- get
- watch
- list
- create
- delete
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: dxf-clusterrolebinding
namespace: dxf-uat
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dxf-clusterrole
subjects:
- kind: ServiceAccount
name: dxf-deployer
namespace: dxf-uat
用户“system:serviceaccount:dxf-uat:dxf-deployer”无法在集群范围API组“”中获取资源“persistentvolumes”
有四个 Kubernetes 对象:Role, ClusterRole, RoleBinding and ClusterRoleBinding,我们可以使用它们来配置所需的 RBAC 规则。 Role 和 RoleBinding 是命名空间的,ClusterRole 和 ClusterRoleBinding 是集群范围的资源。
如您在 RoleBinding and ClusterRoleBinding documentation 中所见:
A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.
您的问题出在所有集群范围的资源上,例如 PersistentVolumes、Nodes、Namespaces 等:
$ kubectl get nodes --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "nodes" in API group "" at the cluster scope
$ kubectl get persistentvolumes -n dxf-uat --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): persistentvolumes is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "persistentvolumes" in API group "" at the cluster scope
$ kubectl get namespaces --as=system:serviceaccount:dxf-uat:dxf-deployer
Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:dxf-uat:dxf-deployer" cannot list resource "namespaces" in API group "" at the cluster scope
您需要创建一个 ClusterRole,其中包含您希望从 dxf-deployer ServiceAccount 访问的所有集群范围的资源,然后将此 ClusterRole 绑定到 dxf-deployer ServiceAccount 使用 ClusterRoleBinding.
在下面的示例中,我已将 dxf-deployer ServiceAccount 的权限授予 Nodes 和 PersistentVolumes:
$ cat cluster-scope-permissions.yml
# cluster-scope-permissions.yml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-scope-role
rules:
- apiGroups:
- ""
resources:
- nodes
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-scope-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-scope-role
subjects:
- kind: ServiceAccount
name: dxf-deployer
namespace: dxf-uat
最后,我们可以检查它是否按预期工作:
$ kubectl apply -f cluster-scope-permissions.yml
clusterrole.rbac.authorization.k8s.io/cluster-scope-role created
clusterrolebinding.rbac.authorization.k8s.io/cluster-scope-rolebinding created
$ kubectl get nodes --as=system:serviceaccount:dxf-uat:dxf-deployer
NAME STATUS ROLES AGE VERSION
node1 Ready <none> 5h11m v1.18.12-gke.1210
node2 Ready <none> 5h11m v1.18.12-gke.1210
$ kubectl get persistentvolumes -n dxf-uat --as=system:serviceaccount:dxf-uat:dxf-deployer
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-0ba2fd12-c883-45b8-b52d-a6c826a2775a 8Gi RWO Delete Bound default/my-jenkins standard 131m
pvc-b4b7a4c8-c9ad-4e83-b1ee-663b3e4d938b 10Gi RWO Delete Bound default/debug-pvc standard 5h12m