如何提供对 pod 的访问,以便它可以列出和获取其他 pods 和 namespaces/cluster 中的其他资源

How to provide access to a pod so that it can list and get other pods and other resource in the namespaces/cluster

我一直致力于创建一个可以对 kube-cluster 中部署的 istio 组件执行验证测试的应用程序。在我的例子中,限制是我有 运行 这个应用程序作为 kubernetes 中的一个 pod,我不能向应用程序的 pod 提供 cluster-admin 角色,以便它可以执行所有操作。我必须创建一个受限的 ClusterRole 来提供足够的访问权限,以便应用程序列出并获取所有必需的已部署 istio 资源(创建集群角色的原因是因为在部署 istio 时,它同时创建了命名空间级别和集群级别的资源).目前,如果我使用受限 ClusterRole 和输出以及错误

,我的应用程序根本不会 运行
Error: failed to fetch istiod pod, error: pods is forbidden: User "system:serviceaccount:istio-system:istio-deployment-verification-sa" cannot list resource "pods" in API group "" in the namespace "istio-system"

以上错误没有意义,因为我在 ClusterRole 中明确提到了核心 api 组,并且还在 resourceType 中提到了 pods 作为资源child 我的 ClusterRole 定义。

Clusterrole.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ .Values.clusterrole.name }}
  namespace: {{ .Values.clusterrole.clusterrolens}}
rules:
- apiGroups:
  - "rbac.authorization.k8s.io"
  - "" #enabling access to core API
  - "networking.istio.io"
  - "install.istio.io"
  - "autoscaling"
  - "apps"
  - "admissionregistration.k8s.io"
  - "policy"
  - "apiextensions.k8s.io"
  resources:
  - "clusterroles"
  - "clusterolebindings"
  - "serviceaccounts"
  - "roles"
  - "rolebindings"
  - "horizontalpodautoscalers"
  - "configmaps"
  - "deployments"
  - "mutatingwebhookconfigurations"
  - "poddisruptionbudgets"
  - "envoyfilters"
  - "validatingwebhookconfigurations"
  - "pods"
  - "wasmplugins"
  - "destinationrules"
  - "envoyfilters"
  - "gateways"
  - "serviceentries"
  - "sidecars"
  - "virtualservices"
  - "workloadentries"
  - "workloadgroups"
  - "authorizationpolicies"
  - "peerauthentications"
  - "requestauthentications"
  - "telemetries"
  - "istiooperators"
  resourceNames:
  - "istiod-istio-system"
  - "istio-reader-istio-system"
  - "istio-reader-service-account"
  - "istiod-service-account"
  - "wasmplugins.extensions.istio.io"
  - "destinationrules.networking.istio.io"
  - "envoyfilters.networking.istio.io"
  - "gateways.networking.istio.io"
  - "serviceentries.networking.istio.io"
  - "sidecars.networking.istio.io"
  - "virtualservices.networking.istio.io"
  - "workloadentries.networking.istio.io"
  - "workloadgroups.networking.istio.io"
  - "authorizationpolicies.security.istio.io"
  - "peerauthentications.security.istio.io"
  - "requestauthentications.security.istio.io"
  - "telemetries.telemetry.istio.io"
  - "istiooperators.install.istio.io"
  - "istiod"
  - "istiod-clusterrole-istio-system"
  - "istiod-gateway-controller-istio-system"
  - "istiod-clusterrole-istio-system"
  - "istiod-gateway-controller-istio-system"
  - "istio"
  - "istio-sidecar-injector"
  - "istio-reader-clusterrole-istio-system"
  - "stats-filter-1.10"
  - "tcp-stats-filter-1.10"
  - "stats-filter-1.11"
  - "tcp-stats-filter-1.11"
  - "stats-filter-1.12"
  - "tcp-stats-filter-1.12"
  - "istio-validator-istio-system"
  - "istio-ingressgateway-microservices"
  - "istio-ingressgateway-microservices-sds"
  - "istio-ingressgateway-microservices-service-account"
  - "istio-ingressgateway-public"
  - "istio-ingressgateway-public-sds"
  - "istio-ingressgateway-public-service-account"
  verbs:
  - get
  - list

我构建的应用程序利用了 istio 在 dockerhub 上发布的 istioctl docker 容器。 Link.

我想了解上面的 ClusterRole 定义需要进行哪些更改,以便我可以对命名空间中的 pods 执行获取和列表操作。

我还想了解我遇到的错误是否可能是在尝试引用集群中的其他资源?

集群信息:

Kubernetes version: 1.20
Istioctl docker image version: 1.12.2
Istio version: 1.12.1

评论中OP提到的问题经我建议解决:

Please run the command kubectl auth can-i list pods --namespace istio-system --as system:serviceaccount:istio-system:istio-deployment-verification-sa and attach result to the question. Look also here

OP 已确认问题已解决:

thanx for the above command using above I was finally able to nail down the issue and found the issue to be with first resourceName and second we need to mention core api in the api group before any other. Thank you issue is resolved now.