新用户可以查看所有pod,而无需任何角色绑定

时间:2019-04-19 11:17:21

标签: kubernetes

kube-apiserver.service--authorization-mode=Node,RBAC一起运行

$ kubectl api-versions | grep rbac
rbac.authorization.k8s.io/v1
rbac.authorization.k8s.io/v1beta1

相信这足以启用RBAC。

但是,我创建的任何新用户都可以查看所有资源而无需任何角色绑定。

创建新用户的步骤:

$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes nonadmin-csr.json | cfssljson -bare nonadmin
$ kubectl config set-cluster nonadmin --certificate-authority ca.pem --server https://127.0.0.1:6443
$ kubectl config set-credentials nonadmin --client-certificate nonadmin.pem --client-key nonadmin-key.pem
$ kubectl config set-context nonadmin --cluster nonadmin --user nonadmin
$ kubectl config use-context nonadmin

用户nonadmin可以查看Pod,svc,而无需任何角色绑定

$ kubectl get svc --all-namespaces
NAMESPACE       NAME                      TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                      AGE                 
default         kubernetes                ClusterIP   10.32.0.1     <none>        443/TCP                      5d4h
ingress-nginx   ingress-nginx             NodePort    10.32.0.129   <none>        80:30989/TCP,443:30686/TCP   5d3h
kube-system     calico-typha              ClusterIP   10.32.0.225   <none>        5473/TCP                     5d3h
kube-system     kube-dns                  ClusterIP   10.32.0.10    <none>        53/UDP,53/TCP                5d3h
rook-ceph       rook-ceph-mgr             ClusterIP   10.32.0.2     <none>        9283/TCP                     4d22h
rook-ceph       rook-ceph-mgr-dashboard   ClusterIP   10.32.0.156   <none>        8443/TCP                     4d22h
rook-ceph       rook-ceph-mon-a           ClusterIP   10.32.0.55    <none>        6790/TCP                     4d22h
rook-ceph       rook-ceph-mon-b           ClusterIP   10.32.0.187   <none>        6790/TCP                     4d22h
rook-ceph       rook-ceph-mon-c           ClusterIP   10.32.0.128   <none>        6790/TCP                     4d22h

版本:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.2", GitCommit:"cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState:"clean", BuildDate:"2019-01-10T23:35:51Z", GoVersion:"go1.11.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.2", GitCommit:"cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState:"clean", BuildDate:"2019-01-10T23:28:14Z", GoVersion:"go1.11.4", Compiler:"gc", Platform:"linux/amd64"}

这是在Ubuntu 18 VM上的非托管kubernetes设置。 我要去哪里错了?

编辑1::添加kubectl config view

$ kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /home/dadmin/ca.pem
    server: https://192.168.1.111:6443
  name: gabbar
- cluster:
    certificate-authority: /home/dadmin/ca.pem
    server: https://127.0.0.1:6443
  name: nonadmin
- cluster:
    certificate-authority: /home/dadmin/ca.pem
    server: https://192.168.1.111:6443
  name: kubernetes
contexts:
- context:
    cluster: gabbar
    namespace: testing
    user: gabbar
  name: gabbar
- context:
    cluster: nonadmin
    user: nonadmin
  name: nonadmin
- context:
    cluster: kubernetes
    user: admin
  name: kubernetes
current-context: nonadmin
kind: Config
preferences: {}
users:
- name: admin
  user:
    client-certificate: /home/dadmin/admin.pem
    client-key: /home/dadmin/admin-key.pem
- name: gabbar
  user:
    client-certificate: /home/dadmin/gabbar.pem
    client-key: /home/dadmin/gabbar-key.pem
- name: nonadmin
  user:
    client-certificate: /home/dadmin/nonadmin.pem
    client-key: /home/dadmin/nonadmin-key.pem

1 个答案:

答案 0 :(得分:0)

这种行为的最可能的根本原因是在生成mockClear时使用集合"O": "system:masters"

nonadmin-csr.json组绑定到cluster-admin super-user default role,结果-每个新创建的用户将具有完全访问权限。

这是一个很好的article,可为您提供有关如何创建名称空间访问权限受限的用户的分步说明。

快速测试表明,相似的用户但不同的组具有巨大的访问差异

-subj“ / CN =员工/ O =测试组”:

system:masters

-subj“ / CN = newemployee / O = system:masters”:

kubectl --context=employee-context get pods --all-namespaces
Error from server (Forbidden): pods is forbidden: User "employee" cannot list resource "pods" in API group "" at the cluster scope