如何在Kubernetes中使用RBAC
[英]How to work with RBAC in Kubernetes
问题描述
I do understand RBAC and I'm able to create a role using rules en subjects, bind them with a user. 
我确实了解RBAC,并且能够使用规则主题创建角色,并将其与用户绑定。
For example this role can only list the pods 例如,此角色只能列出吊舱
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: development
name: list-pods
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "list"]
Now we are using namespaces for every environment we have (dev, staging, prd). 现在,我们为每个环境(开发,暂存和prd)使用名称空间。 Now how do I have to provide this role to users in different namespaces? 现在,我如何向不同名称空间中的用户提供此角色? Do I have to create a clusterRole and bind it with a normal rolebinding or do I have to write the above .yaml once for dev, once for uat and once for prd? 我是否必须创建一个clusterRole并将其与常规角色绑定进行绑定,还是必须为开发人员一次编写上述.yaml,为uat编写一次,为prd编写一次? Are there somewhere rules written about how to handles those cases? 是否有关于如何处理这些案件的法规?
2 个解决方案
解决方案1
1 已采纳 2018-08-04 04:23:04
Now how do I have to provide this role to users in different namespaces?
You do if you want to be able to constrain the ability to list Pod s for that Subject on a per Namespace basis. 如果您希望能够限制在每个Namespace基础上列出该Subject Pod的能力,则可以这样做。 For example, you might not want people to be able to see Pod s in kube-system (or a hypothetical internal-security namespace). 例如,您可能不希望人们能够在kube-system (或假设的internal-security名称空间)中看到Pod 。 Using the ability to list Pod s as an example makes this hard to imagine, but the ability to list, or view, or both, Secret s or ConfigMap s may make this more tangible. 以列出Pod的能力为例,这很难想象,但是列出Secret或ConfigMap或/或查看两者的能力可能会使这一点更加明显。 Presumably a Subject can view Secret s for their own project -- or even maybe not -- but not for other projects within the company. 大概一个Subject可以查看Secret的自己的项目-甚至可能不查看-但不能查看公司内的其他项目。 That kind of thing. 那种事
That gets even more real when one thinks about the ability to exec into arbitrary Pod s -- because that's the biggest risk that I can think of to the safety and confidentiality of applications in the cluster. 当人们想到能够exec任意Pod的能力时,这一点变得更加现实-因为这是我可以想到的对集群中应用程序的安全性和机密性的最大风险。
Do I have to create a clusterRole and bind it with a normal rolebinding
No, one uses a ClusterRoleBinding for that purpose. 不,为此目的使用ClusterRoleBinding 。 "Have to" is not the right question; “必须”不是正确的问题; it depends on whether you want the binding to apply to all namespaces, current and future . 这取决于您是否希望绑定应用于当前和将来的所有名称空间。
or do I have to write the above .yaml once for dev, once for uat and once for prd?
That also depends on whether those Namespaces have identical risk and identical Subject s who access them. 这还取决于这些Namespaces是否具有相同的风险以及访问它们的相同的Subject 。
Are there somewhere rules written about how to handles those cases?
Definitely not; 当然不; there's not one-size-fits-all for cluster security. 集群安全性不是万能的。 It all depends on the kind of risk one is trying to drive down. 这完全取决于人们试图压低的风险。
As a for-your-consideration, you're not obligated to use the RBAC constraints: you can certainly create a ClusterRoleBinding for every Subject to the cluster-admin ClusterRole and voilà, no more permission management. 出于您的考虑,您没有义务使用RBAC约束:您可以为cluster-admin ClusterRole和ClusterRoleBinding的每个Subject创建一个ClusterRoleBinding ,无需任何权限管理。 No more safeguards, either, but that's the spectrum. 也没有更多的保障措施,但这就是频谱。
解决方案2
1 2018-08-04 22:25:42
在您的特定情况下,我将创建具有所需权限的单个群集角色,然后通过角色绑定将其绑定到相关名称空间中的相应主题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.