在Kubernetes中,您可以使用auth can-i命令来检查您是否拥有某些资源的权限。
例如,我可以在工作程序上使用以下命令:
kubectl --kubeconfig /etc/kubernetes/kubelet.conf auth can-i get pods -v 9
它将检查您是否具有查看窗格的权限,并在添加-v标志时显示详细输出:
...
curl -k -v -XPOST -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.18.0 (linux/amd64) kubernetes/9e99141" 'https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
我想将此REST API与curl一起使用,但无法使用:
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H "Accept: application/json, */*" \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
"kind":"SelfSubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"namespace":"default"
},
"status":{
"allowed":true
}
}
EOF
如果由于错误而失败:
"status": "Failure",
"message": "SelfSubjectAccessReview in version \"v1\" cannot be handled as a SelfSubjectRulesReview: converting (v1.SelfSubjectAccessReview).v1.SelfSubjectAccessReviewSpec to (authorization.SelfSubjectRulesReview).authorization.SelfSubjectRulesReviewSpec: Namespace not present in src",
"reason": "BadRequest",
"code": 400
如何使用带有curl的SelfSubjectRulesReview API查看资源许可?
由于@HelloWorld,我发现了问题,问题出在selfsubjectaccessreviews与selfsubjectrulesreviews之间的区别。我将举2个工作的curl示例。
1) selfsubjectaccessreviews 示例,以查看该帐户是否具有以下权限:
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H 'Accept: application/json, */*' \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews <<'EOF'
{
"kind":"SelfSubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"resourceAttributes":{
"namespace":"default",
"verb":"get",
"resource":"pods"
}
},
"status":{
}
}
EOF
2) selfsubjectrulesreviews 示例,以查看帐户在默认名称空间上的所有权限:
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H 'Accept: application/json, */*' \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
"kind":"SelfSubjectRulesReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"namespace":"default"
},
"status":{
}
}
EOF
答案 0 :(得分:1)
请注意,kubectl verbose在输出中显示了该URL:
https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews
你正在卷曲:
https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews
您能注意到区别吗? selfsubject 访问评论与selfsubject 规则评论。
更改网址以更正网址,它将起作用。