GKE Kubernetes RBAC将默认角色绑定到我的有限定制

时间:2019-03-03 19:48:55

标签: kubernetes google-kubernetes-engine rbac

我正在使用G 我想创建一个只能访问特定名称空间的自定义用户,我使用了这个yaml:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: develop-user
  namespace: develop

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: develop-user-full-access
  namespace: develop
rules:
- apiGroups: rbac.authorization.k8s.io
  resources:
  - services
  verbs: ["get"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: develop-user-view
  namespace: develop
subjects:
- kind: ServiceAccount
  name: develop-user
  namespace: develop
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: develop-user-full-access

因此,在将上下文切换到该新服务帐户并确定我仍然可以访问所有内容后,我得到了证书并添加到我的kube配置中:(
为什么会发生以及如何解决?

我的kubeconfig(粘贴副本:https://pastebin.com/s5Nd6Dnn):

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: %certificate-data%
    server: https://animeheaven.nyah
  name: anime-cluster-develop
contexts:
- context:
    cluster: anime-cluster-develop
    namespace: develop
    user: develop-user
  name: anime-develop
current-context: anime-develop
kind: Config
preferences: {}
users:
- name: develop-user
  user:
    client-key-data: %certdata%
    token: %tokenkey%

2 个答案:

答案 0 :(得分:3)

https://medium.com/uptime-99/making-sense-of-kubernetes-rbac-and-iam-roles-on-gke-914131b01922
https://medium.com/@ManagedKube/kubernetes-rbac-port-forward-4c7eb3951e28

这两篇文章终于对我有所帮助!由于这些愚蠢的东西,我几乎感到沮丧,这要归功于uptime-99和ManagedKube我做到了!是的!

关键是在gcloud中创建kubernetes-viewer用户,然后为其创建角色 这是一个提示!

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: develop
  name: allow-developer-port-forward
rules:
- apiGroups: [""]
  resources: ["pods", "pods/portforward"]
  verbs: ["get", "list", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: anime-developer-port-access
  namespace: develop
subjects:
- kind: User
  name: ANIMEDEVERLOP@gmail.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: allow-developer-port-forward
  apiGroup: ""

然后

  

kubectly应用-f accessconfig.yaml

就这样!
祝你有美好的一天!

答案 1 :(得分:2)

这是一篇有关如何设置它的好文章:https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html

通常,您的配置很好,我更改的是将- apiGroups: rbac.authorization.k8s.io行更改为:

- apiGroups: ["", "extensions", "apps"]

然后,执行以下步骤:

  1. 创建develop命名空间
$ kubectl create namespace develop
  1. 从您的配置中创建RBAC。
$ kubectl apply -f rbac.yaml
  1. 读取群集IP,令牌和CA证书。
$ kubectl cluster-info
$ kubectl get secret develop-user-token-2wsnb -o jsonpath={.data.token} -n develop | base64 --decode
$ kubectl get secret develop-user-token-2wsnb -o "jsonpath={.data['ca\.crt']}" -n develop
  1. 填充~/.kube/config文件(如linked guide中所述)
  2. 将上下文更改为develop
  3. 用户只能访问develop名称空间中的检查服务。
$ kubectl get service my-service -n mynamespace
Error from server (Forbidden): services "my-service" is forbidden: User "system:serviceaccount:develop:develop-user" cannot get services in the namespace "mynamespace"
$ kubectl get service my-service -n develop
hError from server (NotFound): services "my-service" not found
相关问题
最新问题