我在练习安全 k8s 时手忙脚乱。这是我遇到的一个要解决的练习题。
问题:
创建 serviceaccount 'john' 并有权在给定的 namespace 'hr' Create clusterrole and clusterrolebindings 中创建 delete get 部署、statefulsets、daemonsets。
方法: 已尝试创建 sa 和 clusterrole 和 clusterrolebinding(将 clusterrole 与创建的 sa 绑定) 但是当我检查它时给出了“不”
kubectl auth can-i create deploy --as john -n hr
no
创建 sa:
kubectl create sa john
创建集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: hrcrole
rules:
- apiGroups: ["apps"]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["get", "watch", "list", "delete"]
创建集群角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
name: hrcrolebind
subjects:
- kind: User
name: hruser # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: hrcrole
apiGroup: rbac.authorization.k8s.io
我也尝试在命名空间中创建 serviceaccount,在命名空间中创建 clusterrolebinding 但我仍然没有。不幸的是,我没有解决这个问题的方法。感谢这里的任何帮助。
答案 0 :(得分:1)
您正在尝试create部署:
kubectl auth can-i create deploy --as john -n hr
但是您不允许在集群角色中使用 create 动词:
verbs: ["get", "watch", "list", "delete"]
尝试像这样重新创建集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: hrcrole
rules:
- apiGroups: ["apps"]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["create", "get", "watch", "list", "delete"]