如何在GKE kubernetes集群中调试ABAC到RBAC转换?
[英]How to debug ABAC to RBAC transition in a GKE kubernetes cluster?
问题描述
Where does GKE log RBAC permission events? 
GKE日志RBAC权限事件在哪里?
On Google Container Engine (GKE) clusters with kubernetes version v1.6 enable RBAC authorization per default. 在具有kubernetes版本v1.6的Google容器引擎(GKE)群集上,默认情况下启用RBAC授权。 Apparently ABAC is enabled as fallback authorization as well in order to ease the transition of existing clusters to the new authorization scheme. 显然,ABAC也可以作为后备授权启用,以便简化现有集群到新授权方案的转换。 The idea is that first RBAC is tried to authorize an action. 这个想法是第一个RBAC尝试授权一个动作。 If that fails , this should be logged somewhere and then ABAC is consulted to allow the action. 如果失败 ,应将其记录在某处 ,然后咨询ABAC以允许该操作。 This should enabled cluster admins to inspect the logs for missed RBAC permissions before finally switching off ABAC. 这应该使群集管理员能够在最终关闭ABAC之前检查日志是否缺少RBAC权限。
We have some clusters that disable GCP logging/monitoring, instead use an own ELK stack. 我们有一些集群可以禁用GCP日志记录/监控,而是使用自己的ELK堆栈。 Just to be sure I've created a test cluster with GCP's cloud logging and monitoring, but still can's find any RBAC events anywhere. 为了确保我已经使用GCP的云记录和监控创建了一个测试集群,但仍然可以在任何地方找到任何RBAC事件。 The test pod is a prometheus server that discovers and scrapes other pods and nodes. 测试pod是一个prometheus服务器,可以发现并抓取其他pod和节点。
2 个解决方案
解决方案1
8 已采纳 2017-05-12 09:30:30
To make this more comprehensive. 使这更全面。 From Using RBAC Authorization : 从使用RBAC授权 :
When run with a log level of 2 or higher (--v=2), you can see RBAC denials in the apiserver log (prefixed with RBAC DENY:).
In GKE the apiservers logs can be accessed via HTTP like: 在GKE中,可以通过HTTP访问apiservers日志,如:
kubectl proxy &
curl -s http://localhost:8001/logs/kube-apiserver.log
解决方案2
3 2017-05-11 15:07:18
RBAC拒绝将记录到主apiserver日志中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.