如何设置Kubernetes ClusterRole绑定以为所有名称空间的`view`访问服务帐户

时间:2019-11-11 09:09:55

标签: kubernetes

我设置了一个服务帐户和一个群集角色绑定,以使view可以访问所有名称空间的pod:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: mine-user
  namespace: mine
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mine-rolebinding
subjects:
- kind: User
  name: mine-user
  namespace: mine
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

我尝试使用 curl 列出deployments

curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/apis/apps/v1/namespaces/mine/deployments

但是我得到一个错误:

"deployments.apps is forbidden: User \"system:serviceaccount:mine:mine-user\" cannot list resource \"deployments\" in API group \"apps\" in the namespace \"mine\""

尽管存在角色绑定:

kubectl -n mine describe clusterrolebinding/mine-rolebinding
Name:         mine-rolebinding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  view
Subjects:
  Kind  Name               Namespace
  ----  ----               ---------
  User  mine-user          mine

在使用自定义群集角色时,我也会遇到相同的错误:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mine-role
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]

$ kubectl -n mine describe clusterrolebinding/mine-rolebinding2
Name:         mine-rolebinding2
Labels:       <none>
Annotations:  <none>
Role:
 Kind:  ClusterRole
 Name:  mine-role
Subjects:
 Kind  Name               Namespace
 ----  ----               ---------
 User  mine-user          mine
$ kubectl -n mine describe clusterrole/mine-role
Name:         mine-role
Labels:       <none>
Annotations:  <none>
PolicyRule:
 Resources         Non-Resource URLs  Resource Names  Verbs
 ---------         -----------------  --------------  -----
 deployments.apps  []                 []              [get list watch]

2 个答案:

答案 0 :(得分:0)

您还需要定义一个角色。 如果您希望对部署拥有读取权限,则应首先检查属于哪个apigroup“部署”:

kubectl api资源 部署部署应用程序true部署

->属于“应用”组

因此角色应如下所示:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: mine
  name: mine-rolebinding
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "watch", "list"]

您可以使用auth命令检查您拥有的权限:

kubectl auth can-i watch deployments --namespace mine --as mine-user
yes

更多信息:

https://kubernetes.io/docs/reference/access-authn-authz/authorization/ https://kubernetes.io/docs/reference/access-authn-authz/rbac/

答案 1 :(得分:0)

我看到您创建了ServiceAccount,并且您正在尝试使用ClusterRoleBinding和传递此subjects.kind: User的名称来创建ServiceAccount。它行不通。

请从subjects.kind更改为ServiceAccount 并从您的subjects.apiGroup中删除ClusterRoleBinding

或仅应用此内容:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: mine-user
  namespace: mine
---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mine-role
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mine-rolebinding
subjects:
- kind: ServiceAccount
  name: mine-user
  namespace: mine
roleRef:
  kind: ClusterRole
  name: mine-role
  apiGroup: rbac.authorization.k8s.io

您可以在kubernetes docs中阅读更多有关如何引用RoleBinding或ClusterRoleBinding中的主题的信息。

让我知道它是否对您有用。

相关问题
最新问题