无法授予服务帐户权限以应用现有角色“服务器错误(禁止)...尝试授予额外的特权”

时间:2018-07-08 09:14:09

标签: kubernetes rbac role

我正在尝试授予服务帐户权限,使其可以在现有角色上运行kubectl apply -f somerole.yaml

我创建了具有以下权限的服务帐户:

cat > ~/tmp/Role.yaml <<EOF 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: my-role6
rules: 
- apiGroups: ["*"]
  resources: ["roles"]
  verbs: ["replace", "patch", "get", "list", "create"] 
EOF

kubectl create -f ~/tmp/Role.yaml

所有后台权限(RoleBinding,上下文)似乎都不错,因为如果我在资源字段中添加pods,则可以使用:
kubectl get pods --context=myservice6-context

我跑步时:

kubectl apply -f malrole.yaml --context=$CONTEXT_NAME

我收到了:

Error from server (Forbidden): error when creating "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]}] ruleResolutionErrors=[]

可读性更好的版本:

Error from server (Forbidden): 
    error when creating "malrole.yaml": 
    roles.rbac.authorization.k8s.io "testrole" is forbidden: 
        attempt to grant extra privileges: 
        [ 
            PolicyRule{
                Resources:["pods"], APIGroups:["*"], Verbs:["get"]
            }
        ] 
        user=&{
            system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 
            [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]
            } 

        ownerrules=[
            PolicyRule{
                Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], 
                Verbs:["create"]
            } 

            PolicyRule{
                NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*""/version"], 
                Verbs:["get"]
            }

            PolicyRule{
                Resources:["roles"], APIGroups:["*"], Verbs:["replace" "patch" "get" "list" "create"]
            }
        ] 


        ruleResolutionErrors=[]

malrole.yaml(我尝试应用的文件):

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: default
  name: testrole
rules:
- apiGroups: ["*"]
  resources: ["pods"]
  verbs: ["get"]

它写道:

  

尝试授予额外的特权...

从以下行中提取以下代码:
https://github.com/kubernetes/kubernetes/blob/4d9873556201f2766ccf6161f7beac5f76b8fd60/pkg/registry/rbac/validation/rule.go#L52

不知道为什么。

根据文档:

  

ConfirmNoEscalation确定给定用户的角色   给定名称空间包含 提供的角色

但是我尝试也给自己更多权限(请参见编辑),但仍然收到此错误。

编辑:
即使我将权限更改为

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: my-role6
rules: 
- apiGroups: ["*"]
  resources: ["roles"]
  verbs: ["*"]

我收到了:

Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"rbac.authorization.k8s.io/v1beta1\",\"kind\":\"Role\",\"metadata\":{\"annotations\":{},\"name\":\"testrole\",\"namespace\":\"default\"},\"rules\":[{\"apiGroups\":[\"*\"],\"resources\":[\"pods\"],\"verbs\":[\"list\",\"get\"]}]}\n"}},"rules":[{"apiGroups":["*"],"resources":["pods"],"verbs":["list","get"]}]}
to:
&{0xc420b26840 0xc4202b18f0 default testrole malrole.yaml 0xc4211a8988 0xc42000c008 1638 false}
for: "malrole.yaml": roles.rbac.authorization.k8s.io "testrole" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:["*"], Verbs:["get"]}] user=&{system:serviceaccount:default:myservice6 5cdb719b-828b-11e8-993e-02420d415928 [system:serviceaccounts system:serviceaccounts:default system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]} PolicyRule{Resources:["roles"], APIGroups:["*"], Verbs:["*"]}] ruleResolutionErrors=[]

1 个答案:

答案 0 :(得分:0)

@liggitt告诉我

  

防止升级会拒绝尝试创建包含以下内容的角色   您尚未拥有的权限

正在关注:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping

我发现,要能够应用角色,我需要具有以下权限:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata: 
  namespace: default
  name: $ROLE_NAME
rules: 
- apiGroups: ["*"]
  resources: ["roles", "pods"]
  verbs: ["patch", "get", "list"]

我不确定在应用角色时为什么pods应该成为资源的一部分。但是也许应用程序为此使用了一些系统容器。

如以上链接所述:

  

要允许用户创建/更新角色,请执行以下操作:

     
      
  1. 授予他们一个角色,使他们可以创建/更新“角色”或   根据需要使用ClusterRole对象。
    2.   
  2. 授予他们包含   您希望他们能够在角色或角色中设置的权限   。如果他们尝试创建或修改角色或ClusterRole   具有他们自己尚未被授予的权限的API   请求将被禁止。
    3.   
相关问题
最新问题