[英]Grant Kubernetes service account privileges to get pods from all namespaces
I would like to grant a Kubernetes service account privileges for executing kubectl --token $token get pod --all-namespaces
. 我想授予Kubernetes服务帐户特权以执行
kubectl --token $token get pod --all-namespaces
。 I'm familiar with doing this for a single namespace but don't know how to do it for all (including new ones that may be created in the future and without granting the service account full admin privileges ). 我熟悉对单个名称空间执行此操作,但不知道如何对所有名称空间执行此操作(包括将来可能会创建且未授予服务帐户完全管理员权限的新名称空间 )。
Currently I receive this error message: 目前,我收到此错误消息:
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kube-system:test" cannot list resource "pods" in API group "" at the cluster scope
来自服务器的错误(禁止):禁止使用pod:用户“ system:serviceaccount:kube-system:test”无法在群集作用域的API组“”中列出资源“ pods”
What (cluster) roles and role bindings are required? 需要哪些(群集)角色和角色绑定?
UPDATE Assigning role view
to the service with the following ClusterRoleBinding
works and is a step forward. UPDATE通过以下
ClusterRoleBinding
将角色view
分配给服务可以ClusterRoleBinding
工作,并且是向前迈出的一步。 However, I'd like to confine the service account's privileges further to the minimum required. 但是,我想进一步限制服务帐户的权限。
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
subjects:
- kind: ServiceAccount
name: test
namespace: kube-system
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
The service account's token can be extracted as follows: 可以如下提取服务帐户的令牌:
secret=$(kubectl get serviceaccount test -n kube-system -o=jsonpath='{.secrets[0].name}')
token=$(kubectl get secret $secret -n kube-system -o=jsonpath='{.data.token}' | base64 --decode -)
ClustRole
& ClusterRoleBinding
are correct when you need all namespaces, just shrink down the permissions: 当您需要所有名称空间时,
ClustRole
和ClusterRoleBinding
是正确的,只需缩小权限即可:
kind: ServiceAccount
apiVersion: v1
metadata:
name: all-ns-pod-get
namespace: your-ns
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: all-ns-pod-get
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: all-ns-pod-get
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: all-ns-pod-get
subjects:
- kind: ServiceAccount
name: all-ns-pod-get
Then all pods in a namespace your-ns
will get a k8s token automatically mounted. 然后,名称空间
your-ns
中的所有Pod都会自动安装一个k8s令牌。 You can use bare kubectl or k8s sdk inside a pod without passing any secrets. 您可以在吊舱内使用裸kubectl或k8s sdk,而无需传递任何秘密。 Note that you don't need to pass
--token
, just run the command in a pod within the namespace where you created that ServiceAccount. 请注意,您不需要通过
--token
,只是一个豆荚里的运行,你创建的ServiceAccount的命名空间中的命令。
Here's a good article explaining the concepts https://medium.com/@ishagirdhar/rbac-in-kubernetes-demystified-72424901fcb3 这是一篇很好的文章,解释了概念https://medium.com/@ishagirdhar/rbac-in-kubernetes-demystified-72424901fcb3
apiVersion: v1
kind: ServiceAccount
metadata:
name: test
namespace: default
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
subjects:
- kind: ServiceAccount
name: test
namespace: default
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
deploy test pod from the below sample 从以下示例中部署测试平台
apiVersion: v1
kind: Pod
metadata:
labels:
run: test
name: test
spec:
serviceAccountName: test
containers:
- args:
- sleep
- "10000"
image: alpine
imagePullPolicy: IfNotPresent
name: test
resources:
requests:
memory: 100Mi
kubectl exec test apk add curl
kubectl exec test -- curl -o /bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kubectl
kubectl exec test -- sh -c 'chmod +x /bin/kubectl'
master $ kubectl exec test -- sh -c 'kubectl get pods --all-namespaces'
NAMESPACE NAME READY STATUS RESTARTS AGE
app1 nginx-6f858d4d45-m2w6f 1/1 Running 0 19m
app1 nginx-6f858d4d45-rdvht 1/1 Running 0 19m
app1 nginx-6f858d4d45-sqs58 1/1 Running 0 19m
app1 test 1/1 Running 0 18m
app2 nginx-6f858d4d45-6rrfl 1/1 Running 0 19m
app2 nginx-6f858d4d45-djz4b 1/1 Running 0 19m
app2 nginx-6f858d4d45-mvscr 1/1 Running 0 19m
app3 nginx-6f858d4d45-88rdt 1/1 Running 0 19m
app3 nginx-6f858d4d45-lfjx2 1/1 Running 0 19m
app3 nginx-6f858d4d45-szfdd 1/1 Running 0 19m
default test 1/1 Running 0 6m
kube-system coredns-78fcdf6894-g7l6n 1/1 Running 0 33m
kube-system coredns-78fcdf6894-r87mx 1/1 Running 0 33m
kube-system etcd-master 1/1 Running 0 32m
kube-system kube-apiserver-master 1/1 Running 0 32m
kube-system kube-controller-manager-master 1/1 Running 0 32m
kube-system kube-proxy-vnxb7 1/1 Running 0 33m
kube-system kube-proxy-vwt6z 1/1 Running 0 33m
kube-system kube-scheduler-master 1/1 Running 0 32m
kube-system weave-net-d5dk8 2/2 Running 1 33m
kube-system weave-net-qjt76 2/2 Running 1 33m
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.