如何使用 'kubectl auth can-i ... psp' 检查命名空间中是否授权了 podsecuritypolicy 的 'use'?
How can I check if 'use' of podsecuritypolicy is authorized in the namespace using 'kubectl auth can-i ... psp'?
以下错误是 returned:
error: you must specify two or three arguments: verb, resource, and optional resourceName
当我执行时:
kubectl auth --as=system:serviceaccount:mytest1:default can-i use psp 00-mytest1
我已经有 podsecuritypolicy (psp.yaml)、role (role.yaml) 和 rolebinding (rb.yaml) 和部署在命名空间 mytest1.
psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: 00-mytest1
labels: {}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: 'MustRunAsNonRoot'
runAsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
- min: 1
max: 65535
supplementalGroups:
rule: 'MayRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MayRunAs'
ranges:
- min: 1
max: 65535
seLinux:
rule: 'RunAsAny'
hostNetwork: false
hostIPC: false
hostPID: false
hostPorts: []
volumes:
- configMap
- downwardAPI
- emptyDir
- projected
- secret
role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: mytest1
namespace: "mytest1"
labels: {}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['00-mytest1']
和rb.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: mytest1
namespace: "mytest1"
labels: {}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: mytest1
subjects:
- kind: ServiceAccount
name: default
namespace: "mytest1"
我希望 return yes 或 no 用于 kubectl auth can-i ... 检查,而不是上述错误。身份验证检查的用例是否正确?谢谢他的指正。
您缺少标志 --subresource。如果我执行
kubectl auth --as=system:serviceaccount:mytest1:default can-i use psp --subresource=00-mytest1
我有明确的答案。我的情况:
no
你也可以得到这样的警告:
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
但它与您的配置直接相关。
详细了解kubectl auth can -i 命令检查
kubectl auth can-i --help
在您的终端中。
您还可以阅读 this doc.
以下错误是 returned:
error: you must specify two or three arguments: verb, resource, and optional resourceName
当我执行时:
kubectl auth --as=system:serviceaccount:mytest1:default can-i use psp 00-mytest1
我已经有 podsecuritypolicy (psp.yaml)、role (role.yaml) 和 rolebinding (rb.yaml) 和部署在命名空间 mytest1.
psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: 00-mytest1
labels: {}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: 'MustRunAsNonRoot'
runAsGroup:
rule: 'MustRunAs'
ranges:
- min: 1000
max: 1000
- min: 1
max: 65535
supplementalGroups:
rule: 'MayRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MayRunAs'
ranges:
- min: 1
max: 65535
seLinux:
rule: 'RunAsAny'
hostNetwork: false
hostIPC: false
hostPID: false
hostPorts: []
volumes:
- configMap
- downwardAPI
- emptyDir
- projected
- secret
role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: mytest1
namespace: "mytest1"
labels: {}
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['00-mytest1']
和rb.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: mytest1
namespace: "mytest1"
labels: {}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: mytest1
subjects:
- kind: ServiceAccount
name: default
namespace: "mytest1"
我希望 return yes 或 no 用于 kubectl auth can-i ... 检查,而不是上述错误。身份验证检查的用例是否正确?谢谢他的指正。
您缺少标志 --subresource。如果我执行
kubectl auth --as=system:serviceaccount:mytest1:default can-i use psp --subresource=00-mytest1
我有明确的答案。我的情况:
no
你也可以得到这样的警告:
Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'
但它与您的配置直接相关。
详细了解kubectl auth can -i 命令检查
kubectl auth can-i --help
在您的终端中。 您还可以阅读 this doc.