如何使用 kubernetes go-client 模拟工作

How to make impersonate work with kubernetes go-client

我正在寻找使用 kubernetes go-client 运行 kubectl auth can-i get pods --as system:serviceaccount:default:test 的方法。

到目前为止,我得到了以下代码,但它不起作用,因为与 kubectl auth can-i 相比,我得到的响应不同。我知道这是关于模拟的,所以我添加了 rest.ImpersonationConfig,但它仍然不起作用。

重现步骤:

kind create cluster
kubectl create sa test
kubectl create role test --verb=get --verb=list --resource=pods
kubectl create rolebinding test --role=test --serviceaccount=default:test

kubectl auth can-i get pod --as system:serviceaccount:default:test
# yes

代码:

package main

import (
    "context"
    "fmt"
    "os"

    authv1 "k8s.io/api/authorization/v1"
    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    "k8s.io/client-go/kubernetes"
    "k8s.io/client-go/rest"
    "k8s.io/client-go/tools/clientcmd"
)

func main() {

    kubeconfig := fmt.Sprintf("%s/.kube/config", os.Getenv("HOME"))
    config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
    if err != nil {
        panic(err.Error())
    }

    config.Impersonate = rest.ImpersonationConfig{
        UserName: "system:serviceaccount:default:test",
    }

    clientset, err := kubernetes.NewForConfig(config)
    if err != nil {
        panic(err.Error())
    }

    action := authv1.ResourceAttributes{
        Namespace: "default",
        Verb:      "get",
        Resource:  "pod",
    }

    selfCheck := authv1.SelfSubjectAccessReview{
        Spec: authv1.SelfSubjectAccessReviewSpec{
            ResourceAttributes: &action,
        },
    }

    resp, err := clientset.AuthorizationV1().
        SelfSubjectAccessReviews().
        Create(context.TODO(), &selfCheck, metav1.CreateOptions{})

    if err != nil {
        panic(err.Error())
    }

    if resp.Status.Allowed {
        fmt.Println("allowed")
    } else {
        fmt.Println("denied")
    }
}

我想通了!我在 ResourceAttributes.

中使用了单数形式的“pod”而不是复数形式的“pods”
package main

import (
    "context"
    "fmt"
    "os"

    authv1 "k8s.io/api/authorization/v1"
    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    "k8s.io/client-go/kubernetes"
    "k8s.io/client-go/rest"
    "k8s.io/client-go/tools/clientcmd"
)

func main() {

    kubeconfig := fmt.Sprintf("%s/.kube/config", os.Getenv("HOME"))
    config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
    if err != nil {
        panic(err.Error())
    }

    config.Impersonate = rest.ImpersonationConfig{
        UserName: "system:serviceaccount:default:test",
    }

    clientset, err := kubernetes.NewForConfig(config)
    if err != nil {
        panic(err.Error())
    }

    action := authv1.ResourceAttributes{
        Namespace: "default",
        Verb:      "get",
        Resource:  "pods",
    }

    selfCheck := authv1.SelfSubjectAccessReview{
        Spec: authv1.SelfSubjectAccessReviewSpec{
            ResourceAttributes: &action,
        },
    }

    resp, err := clientset.AuthorizationV1().
        SelfSubjectAccessReviews().
        Create(context.TODO(), &selfCheck, metav1.CreateOptions{})

    if err != nil {
        panic(err.Error())
    }

    if resp.Status.Allowed {
        fmt.Println("allowed")
    } else {
        fmt.Println("denied")
    }
}