考虑一组我想向K8S REST API发出的HTTP GET
和PUT
请求。我知道当前正在运行的Pod(即假设群集中的一个Pod用于一次性测试/调试/等等)具有适当的凭据(即与服务帐户相关联)可以成功执行这些调用。
我想修改请求,以便他们使用其他服务帐户执行请求(即修改请求的user
字段)。但是,不能保证允许用户对所有这些请求进行全部,并且某些请求可能具有破坏性,因此,理想的情况是出现以下两种情况之一:
通过仅使某些请求成功,它可以使系统进入不确定状态。
K8S中是否有一个API /功能,我可以预先确定是否将允许代表特定用户/服务帐户的特定API请求执行?
答案 0 :(得分:3)
$ kubectl -v 10 --as system:serviceaccount:default:jenkins auth can-i create pod
...
I0426 20:27:33.008777 4149 request.go:942] Request Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"create","resource":"pods"}},"status":{"allowed":false}}
I0426 20:27:33.008875 4149 round_trippers.go:419] curl -k -v -XPOST -H "Impersonate-User: system:serviceaccount:default:jenkins" -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.14.0 (darwin/amd64) kubernetes/641856d" 'https://172.22.1.3/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
I0426 20:27:34.935506 4149 round_trippers.go:438] POST https://172.22.1.3/apis/authorization.k8s.io/v1/selfsubjectaccessreviews 201 Created in 1926 milliseconds
I0426 20:27:34.935550 4149 round_trippers.go:444] Response Headers:
I0426 20:27:34.935564 4149 round_trippers.go:447] Audit-Id: 631abed7-b27b-4eca-b267-4d7db0f1aa21
I0426 20:27:34.935576 4149 round_trippers.go:447] Content-Type: application/json
I0426 20:27:34.935588 4149 round_trippers.go:447] Date: Fri, 26 Apr 2019 14:57:34 GMT
I0426 20:27:34.935599 4149 round_trippers.go:447] Content-Length: 378
I0426 20:27:34.935724 4149 request.go:942] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"create","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"jenkins-ns-default/default\" of Role \"jenkins-ns-default\" to User \"system:serviceaccount:default:jenkins\""}}
yes
您可以在此处查看SubjectAccessReview API的详细说明:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#subjectaccessreview-v1-authorization
在此处了解更多信息:https://kubernetes.io/docs/reference/access-authn-authz/authorization/