[英]How to work with RBAC in Kubernetes
I do understand RBAC and I'm able to create a role using rules en subjects, bind them with a user. 我确实了解RBAC,并且能够使用规则主题创建角色,并将其与用户绑定。
For example this role can only list the pods 例如,此角色只能列出吊舱
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: development
name: list-pods
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "list"]
Now we are using namespaces for every environment we have (dev, staging, prd). 现在,我们为每个环境(开发,暂存和prd)使用名称空间。 Now how do I have to provide this role to users in different namespaces?
现在,我如何向不同名称空间中的用户提供此角色? Do I have to create a clusterRole and bind it with a normal rolebinding or do I have to write the above .yaml once for dev, once for uat and once for prd?
我是否必须创建一个clusterRole并将其与常规角色绑定进行绑定,还是必须为开发人员一次编写上述.yaml,为uat编写一次,为prd编写一次? Are there somewhere rules written about how to handles those cases?
是否有关于如何处理这些案件的法规?
Now how do I have to provide this role to users in different namespaces?
现在,我如何向不同名称空间中的用户提供此角色?
You do if you want to be able to constrain the ability to list Pod
s for that Subject
on a per Namespace
basis. 如果您希望能够限制在每个
Namespace
基础上列出该Subject
Pod
的能力,则可以这样做。 For example, you might not want people to be able to see Pod
s in kube-system
(or a hypothetical internal-security
namespace). 例如,您可能不希望人们能够在
kube-system
(或假设的internal-security
名称空间)中看到Pod
。 Using the ability to list Pod
s as an example makes this hard to imagine, but the ability to list, or view, or both, Secret
s or ConfigMap
s may make this more tangible. 以列出
Pod
的能力为例,这很难想象,但是列出Secret
或ConfigMap
或/或查看两者的能力可能会使这一点更加明显。 Presumably a Subject
can view Secret
s for their own project -- or even maybe not -- but not for other projects within the company. 大概一个
Subject
可以查看Secret
的自己的项目-甚至可能不查看-但不能查看公司内的其他项目。 That kind of thing. 那种事
That gets even more real when one thinks about the ability to exec
into arbitrary Pod
s -- because that's the biggest risk that I can think of to the safety and confidentiality of applications in the cluster. 当人们想到能够
exec
任意Pod
的能力时,这一点变得更加现实-因为这是我可以想到的对集群中应用程序的安全性和机密性的最大风险。
Do I have to create a clusterRole and bind it with a normal rolebinding
我是否必须创建clusterRole并将其与常规角色绑定绑定
No, one uses a ClusterRoleBinding
for that purpose. 不,为此目的使用
ClusterRoleBinding
。 "Have to" is not the right question; “必须”不是正确的问题; it depends on whether you want the binding to apply to all namespaces, current and future .
这取决于您是否希望绑定应用于当前和将来的所有名称空间。
or do I have to write the above .yaml once for dev, once for uat and once for prd?
还是我必须为开发人员编写一次上述.yaml,为uat编写一次,为prd编写一次?
That also depends on whether those Namespaces
have identical risk and identical Subject
s who access them. 这还取决于这些
Namespaces
是否具有相同的风险以及访问它们的相同的Subject
。
Are there somewhere rules written about how to handles those cases?
是否有关于如何处理这些案件的法规?
Definitely not; 当然不; there's not one-size-fits-all for cluster security.
集群安全性不是万能的。 It all depends on the kind of risk one is trying to drive down.
这完全取决于人们试图压低的风险。
As a for-your-consideration, you're not obligated to use the RBAC constraints: you can certainly create a ClusterRoleBinding
for every Subject
to the cluster-admin
ClusterRole
and voilà, no more permission management. 出于您的考虑,您没有义务使用RBAC约束:您可以为
cluster-admin
ClusterRole
和ClusterRoleBinding
的每个Subject
创建一个ClusterRoleBinding
,无需任何权限管理。 No more safeguards, either, but that's the spectrum. 也没有更多的保障措施,但这就是频谱。
在您的特定情况下,我将创建具有所需权限的单个群集角色,然后通过角色绑定将其绑定到相关名称空间中的相应主题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.