在我的k8s群集中,有一些秘密资源列在下面。
$ kubectl获取秘密-n istio-system
NAME TYPE
default-token-4wwkb kubernetes.io/service-account-tokenistio-ca-secret istio.io/ca-root
istio-ca-service-account-token-rl4xm kubernetes.io/service-account-token
istio-egress-service-account-token-vbfwf kubernetes.io/service-account-token
istio-ingress-certs kubernetes.io/tls
istio-ingress-service-account-token-kwr85 kubernetes.io/service-account-tokenistio-mixer-service-account-token-29qbb kubernetes.io/service-account-tokenistio-pilot-service-account-token-t6kmf kubernetes.io/service-account-tokenistio.default istio.io/key-and-cert
istio.istio-ca-service-account istio.io/key-and-cert
istio.istio-egress-service-account istio.io/key-and-cert
istio.istio-ingress-service-account istio.io/key-and-cert
istio.istio-mixer-service-account istio.io/key-and-cert
istio.istio-pilot-service-account istio.io/key-and-cert
istio.test-istio-sa istio.io/key-and-cert
test-istio-sa-token-4zm9k kubernetes.io/service-account-token
现在我想使用rbac来控制服务帐户test-istio-sa,这样test-istio-sa只能访问kubernetes.io/service-account-token类型的所有秘密,例如istio-ca -service-account-token-rl4xm和istio-ingress-service-account-token-kwr85。
我创建了一个Role kube-sa-token-reader,并将其绑定到服务帐户test-istio-sa。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: istio-system
name: kube-sa-token-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets/kubernetes.io/service-account-token"] # grant access to all service account tokens
verbs: ["get", "watch", "list"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-kube-sa-token
namespace: istio-system
subjects:
- kind: ServiceAccount
name: test-istio-sa
roleRef:
kind: Role
name: kube-sa-token-reader
apiGroup: rbac.authorization.k8s.io
但它似乎无法按预期工作。
$ kubectl auth can-i get secret/kubernetes.io/service-account-token -n istio-system --as system:serviceaccount:istio-system:test-istio-sa
no - Unknown user "system:serviceaccount:istio-system:test-istio-sa"