堆栈内存溢出
  简体   繁体   English

授予Kubernetes服务帐户特权以从所有名称空间获取Pod

[英]Grant Kubernetes service account privileges to get pods from all namespaces

 原文  2019-04-09 11:24:14       kubernetes/ rbac

问题描述

I would like to grant a Kubernetes service account privileges for executing kubectl --token $token get pod --all-namespaces . 我想授予Kubernetes服务帐户特权以执行kubectl --token $token get pod --all-namespaces I'm familiar with doing this for a single namespace but don't know how to do it for all (including new ones that may be created in the future and without granting the service account full admin privileges ). 我熟悉对单个名称空间执行此操作,但不知道如何对所有名称空间执行此操作(包括将来可能会创建且未授予服务帐户完全管理员权限的新名称空间 )。

Currently I receive this error message: 目前,我收到此错误消息:

Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kube-system:test" cannot list resource "pods" in API group "" at the cluster scope 来自服务器的错误(禁止):禁止使用pod:用户“ system:serviceaccount:kube-system:test”无法在群集作用域的API组“”中列出资源“ pods”

What (cluster) roles and role bindings are required? 需要哪些(群集)角色和角色绑定?

UPDATE Assigning role view to the service with the following ClusterRoleBinding works and is a step forward. UPDATE通过以下ClusterRoleBinding将角色view分配给服务可以ClusterRoleBinding工作,并且是向前迈出的一步。 However, I'd like to confine the service account's privileges further to the minimum required. 但是,我想进一步限制服务帐户的权限。 

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test
subjects:
- kind: ServiceAccount
  name: test
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

The service account's token can be extracted as follows: 可以如下提取服务帐户的令牌: 

secret=$(kubectl get serviceaccount test -n kube-system -o=jsonpath='{.secrets[0].name}')
token=$(kubectl get secret $secret -n kube-system -o=jsonpath='{.data.token}' | base64 --decode -)

2 个解决方案

解决方案1
 2  2019-04-09 12:28:54

ClustRole & ClusterRoleBinding are correct when you need all namespaces, just shrink down the permissions: 当您需要所有名称空间时, ClustRoleClusterRoleBinding是正确的,只需缩小权限即可: 

kind: ServiceAccount
apiVersion: v1
metadata:
  name: all-ns-pod-get
  namespace: your-ns

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: all-ns-pod-get
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: all-ns-pod-get
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: all-ns-pod-get
subjects:
- kind: ServiceAccount
  name: all-ns-pod-get

Then all pods in a namespace your-ns will get a k8s token automatically mounted. 然后,名称空间your-ns中的所有Pod都会自动安装一个k8s令牌。 You can use bare kubectl or k8s sdk inside a pod without passing any secrets. 您可以在吊舱内使用裸kubectl或k8s sdk,而无需传递任何秘密。 Note that you don't need to pass --token , just run the command in a pod within the namespace where you created that ServiceAccount. 请注意,您不需要通过--token ,只是一个豆荚里的运行,你创建的ServiceAccount的命名空间中的命令。

Here's a good article explaining the concepts https://medium.com/@ishagirdhar/rbac-in-kubernetes-demystified-72424901fcb3 这是一篇很好的文章,解释了概念https://medium.com/@ishagirdhar/rbac-in-kubernetes-demystified-72424901fcb3

解决方案2
 1 已采纳  2019-04-09 13:59:52

  1. Follow the below yamls and create test serviceaccount. 请遵循以下Yaml,并创建测试服务帐户。 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test
  namespace: default

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]


kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test
subjects:
- kind: ServiceAccount
  name: test
  namespace: default
roleRef:
  kind: ClusterRole
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

deploy test pod from the below sample 从以下示例中部署测试平台 

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: test
  name: test
spec:
  serviceAccountName: test
  containers:
  - args:
    - sleep
    - "10000"
    image: alpine
    imagePullPolicy: IfNotPresent
    name: test
    resources:
      requests:
        memory: 100Mi
  1. Install curl and kubectl 安装curl和kubectl 
kubectl exec test apk add curl
kubectl exec test -- curl -o /bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kubectl
kubectl exec test -- sh -c 'chmod +x /bin/kubectl'
  1. You should be able to list the pods from all namespaces from the test pod 您应该能够列出测试容器中所有命名空间中的容器 
master $ kubectl exec test -- sh -c 'kubectl get pods --all-namespaces'
NAMESPACE     NAME                             READY   STATUS    RESTARTS   AGE
app1          nginx-6f858d4d45-m2w6f           1/1     Running   0          19m
app1          nginx-6f858d4d45-rdvht           1/1     Running   0          19m
app1          nginx-6f858d4d45-sqs58           1/1     Running   0          19m
app1          test                             1/1     Running   0          18m
app2          nginx-6f858d4d45-6rrfl           1/1     Running   0          19m
app2          nginx-6f858d4d45-djz4b           1/1     Running   0          19m
app2          nginx-6f858d4d45-mvscr           1/1     Running   0          19m
app3          nginx-6f858d4d45-88rdt           1/1     Running   0          19m
app3          nginx-6f858d4d45-lfjx2           1/1     Running   0          19m
app3          nginx-6f858d4d45-szfdd           1/1     Running   0          19m
default       test                             1/1     Running   0          6m
kube-system   coredns-78fcdf6894-g7l6n         1/1     Running   0          33m
kube-system   coredns-78fcdf6894-r87mx         1/1     Running   0          33m
kube-system   etcd-master                      1/1     Running   0          32m
kube-system   kube-apiserver-master            1/1     Running   0          32m
kube-system   kube-controller-manager-master   1/1     Running   0          32m
kube-system   kube-proxy-vnxb7                 1/1     Running   0          33m
kube-system   kube-proxy-vwt6z                 1/1     Running   0          33m
kube-system   kube-scheduler-master            1/1     Running   0          32m
kube-system   weave-net-d5dk8                  2/2     Running   1          33m
kube-system   weave-net-qjt76                  2/2     Running   1          33m

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 用于访问所有命名空间的 Kubernetes 服务帐户 - Kubernetes service account to access all the namespaces 删除所有 kube.netes 命名空间中的所有 pod 的命令 - Command to delete all pods in all kubernetes namespaces 如何为 kubernetes 集群中的所有命名空间创建服务帐户? - how can I create a service account for all namespaces in a kubernetes cluster? Kube.netes 服务,用于在两个命名空间中选择 pod - Kubernetes Service for selecting pods in two namespaces 如何创建服务帐户以从 Kubernetes 集群中获取 pod 列表? - How to create a service account to get a list of pods from inside a Kubernetes cluster? Kubernetes-从服务或Ingress向所有Pod发送消息 - Kubernetes - Sending message to all pods from service or from Ingress 无法删除所有 Kubernetes 命名空间 Cronjob 中所有被驱逐的 pod - Cannot Remove all evicted pods in all Kubernetes namespaces Cronjob 如何提供对服务帐户的访问权限以读取多个名称空间中的Pod? - How to provide access to a service account to read pods in multiple namespaces? 如何设置 Kubernetes ClusterRole 绑定以授予“视图”访问所有命名空间的服务帐户的权限 - How to set up Kubernetes ClusterRole binding to give `view` access to a service account for all namespaces 如何从 Kube.netes 作业中的所有 pod 获取日志? - How to get logs from all pods in a Kubernetes job?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM