即使在apiGroups中也禁止roles.rbac.authorization.k8s.io

时间:2019-01-04 17:40:51

标签: kubernetes rbac kubernetes-helm

我正在运行kubernetes v1.11.5,并且正在为每个名称空间安装分a部署的头盔。 让我们集中于一个名称空间。这是分till服务帐户配置:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: marketplace-int
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-manager
  namespace: marketplace-int
rules:
- apiGroups:
  - ""
  - extensions
  - apps
  - rbac.authorization.k8s.io
  - roles.rbac.authorization.k8s.io
  - authorization.k8s.io
  resources: ["*"]
  verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-binding
  namespace: marketplace-int
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: marketplace-int
roleRef:
  kind: Role
  name: tiller-manager
  apiGroup: rbac.authorization.k8s.io

当我尝试部署图表时,出现此错误:

Error: release citest failed: roles.rbac.authorization.k8s.io "marketplace-int-role-ns-admin" is forbidden: 
attempt to grant extra privileges: 
[{[*] [*] [*] [] []}] user=&{system:serviceaccount:marketplace-int:tiller 5c6af739-1023-11e9-a245-0ab514dfdff4 
[system:serviceaccounts system:serviceaccounts:marketplace-int system:authenticated] map[]} 
ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} 
{[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]} 
{[*] [ extensions apps rbac.authorization.k8s.io roles.rbac.authorization.k8s.io authorization.k8s.io] [*] [] []}] ruleResolutionErrors=[]

尝试为该名称空间(使用分er sa)创建rbac配置时出现错误:

# Source: marketplace/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app: citest
    chart: marketplace-0.1.0
    heritage: Tiller
    release: citest
    namespace: marketplace-int
  name: marketplace-int-role-ns-admin
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

错误消息清楚地表明,分er服务帐户没有roles.rbac.authorization.k8s.io的权限,但已如先前所示授予了该权限。

$kubectl describe role tiller-manager
Name:         tiller-manager
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"tiller-manager","namespace":"marketplace-i...
PolicyRule:
  Resources                          Non-Resource URLs  Resource Names  Verbs
  ---------                          -----------------  --------------  -----
  *                                  []                 []              [*]
  *.apps                             []                 []              [*]
  *.authorization.k8s.io             []                 []              [*]
  *.extensions                       []                 []              [*]
  *.rbac.authorization.k8s.io        []                 []              [*]
  *.roles.rbac.authorization.k8s.io  []                 []              [*]

老实说,我不完全理解该错误消息以检查ownerrules是否正常,并且我试图找出这似乎与角色描述有关的消息意味着什么:{[*] [*] [*] [] []}

关于我缺少哪些权限的任何线索吗?

3 个答案:

答案 0 :(得分:4)

这是由于RBAC中的权限升级阻止。有关详情,请参见https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping

创建角色对象的权限是必要的,但还不够。

仅当满足以下至少一项要求时,用户才能创建/更新角色:

  1. 它们已经具有角色中包含的所有权限,与正在修改的对象处于相同的作用域(对于ClusterRole,群集范围内,在同一名称空间内;对于角色,群集范围内)。在您的情况下,这意味着尝试创建角色的用户必须在尝试创建角色的名称空间中已经具有apiGroups=*, resources=*, verbs=*权限。您可以通过使用角色绑定将cluster-admin clusterrole授予该名称空间中的serviceaccount来授予此权限。

  2. 他们被授予在rbac.authorization.k8s.io API组(Kubernetes 1.12和更高版本)中的角色或clusterroles资源上执行“升级”动词的明确权限。

答案 1 :(得分:1)

首先,您需要授予分till SA集群管理员权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: marketplace-int

将群集管理员角色分配给分er SA后,您应该可以创建该角色。

答案 2 :(得分:0)

您应该能够在同一名称空间内创建角色。我自己尝试过此操作,这意味着使用与您在问题中描述的角色相同的角色来创建角色,并且能够成功完成(我更改了名称空间以进行测试),因此我认为它与您的角色定义无关,但是与角色定义有关分er正在使用该特定服务帐户来创建新事物。

# With an cluster-admin cluster role
$ echo '---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: test
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-manager
  namespace: test
rules:
- apiGroups:
  - ""
  - extensions
  - apps
  - rbac.authorization.k8s.io
  - roles.rbac.authorization.k8s.io
  - authorization.k8s.io
  resources: ["*"]
  verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-binding
  namespace: test
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: test
roleRef:
  kind: Role
  name: tiller-manager
  apiGroup: rbac.authorization.k8s.io' | kubectl apply -f -

然后:

$ kubectl -n test describe secret tiller-token-xxxxx
Name:         tiller-token-xxxx
Namespace:    test
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: tiller

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  4 bytes
token:      <my-token>

然后:

$ mv ~/.kube ~/.kube.tmp
$ echo 'apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app: citest
    chart: marketplace-0.1.0
    heritage: Tiller
    release: citest
  namespace: test
  name: marketplace-int-role-ns-admin
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]' | kubectl -n test --token <your-token> --server <your-kubeapiserver> apply -f - 
role.rbac.authorization.k8s.io/marketplace-int-role-ns-admin created
相关问题
最新问题