执行之前先查询/测试K8S API请求是否已授权

时间:2019-04-26 14:32:26

标签: rest kubernetes

背景

考虑一组我想向K8S REST API发出的HTTP GETPUT请求。我知道当前正在运行的Pod(即假设群集中的一个Pod用于一次性测试/调试/等等)具有适当的凭据(即与服务帐户相关联)可以成功执行这些调用。

我想修改请求,以便他们使用其他服务帐户执行请求(即修改请求的user字段)。但是,不能保证允许用户对所有这些请求进行全部,并且某些请求可能具有破坏性,因此,理想的情况是出现以下两种情况之一:

  • 所有请求均未执行。
  • 100%的请求已执行。

通过仅使某些请求成功,它可以使系统进入不确定状态。


问题

K8S中是否有一个API /功能,我可以预先确定是否将允许代表特定用户/服务帐户的特定API请求执行?

1 个答案:

答案 0 :(得分:3)

$ kubectl -v 10 --as system:serviceaccount:default:jenkins auth can-i create pod
...
I0426 20:27:33.008777    4149 request.go:942] Request Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"create","resource":"pods"}},"status":{"allowed":false}}
I0426 20:27:33.008875    4149 round_trippers.go:419] curl -k -v -XPOST  -H "Impersonate-User: system:serviceaccount:default:jenkins" -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.14.0 (darwin/amd64) kubernetes/641856d" 'https://172.22.1.3/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
I0426 20:27:34.935506    4149 round_trippers.go:438] POST https://172.22.1.3/apis/authorization.k8s.io/v1/selfsubjectaccessreviews 201 Created in 1926 milliseconds
I0426 20:27:34.935550    4149 round_trippers.go:444] Response Headers:
I0426 20:27:34.935564    4149 round_trippers.go:447]     Audit-Id: 631abed7-b27b-4eca-b267-4d7db0f1aa21
I0426 20:27:34.935576    4149 round_trippers.go:447]     Content-Type: application/json
I0426 20:27:34.935588    4149 round_trippers.go:447]     Date: Fri, 26 Apr 2019 14:57:34 GMT
I0426 20:27:34.935599    4149 round_trippers.go:447]     Content-Length: 378
I0426 20:27:34.935724    4149 request.go:942] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"create","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"jenkins-ns-default/default\" of Role \"jenkins-ns-default\" to User \"system:serviceaccount:default:jenkins\""}}
yes

您可以在此处查看SubjectAccessReview API的详细说明:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#subjectaccessreview-v1-authorization

在此处了解更多信息:https://kubernetes.io/docs/reference/access-authn-authz/authorization/