[英]List of Kubernetes RBAC rule verbs
I want to give my application limited access to get the replicas of different statefulsets (and maybe deployment) and if necessary scale them up or down.我想给我的应用程序提供有限的访问权限,以获取不同状态集(可能还有部署)的副本,并在必要时扩大或缩小它们。
I have created ServiceAccount, Rolebinding and Role for this but I can't find the complete list of rule verbs ("get", "watch", "list", "update") and what are their limitations, for example can I use update
for scaling or I need another verb?我为此创建了 ServiceAccount、Rolebinding 和 Role,但找不到规则动词的完整列表(“get”、“watch”、“list”、“update”)以及它们的局限性,例如我可以使用
update
缩放还是我需要另一个动词? And where can I find a list or table that described these verbs?我在哪里可以找到描述这些动词的列表或表格?
My yaml file:我的 yaml 文件:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: scaler-role
namespace: {{ .Release.Namespace | quote }}
rules:
- apiGroups: ["apps"]
resources: ["statefulset"]
verbs: ["get", "watch", "list", "update"]
The best way is最好的办法是
kubectl api-resources --sort-by name -o wide
The above api-resources
command is explicit and easy to grep.上面的
api-resources
命令是明确的并且易于 grep。 The complete list of possible verbs can be obtained thus:可以通过以下方式获得可能动词的完整列表:
$ kubectl api-resources --no-headers --sort-by name -o wide | sed 's/.*\[//g' | tr -d "]" | tr " " "\n" | sort | uniq
create
delete
deletecollection
get
list
patch
update
watch
The Resource Operations section of API reference docs (eg https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/ ) talks a little bit about them but doesn't mention deletecollection
(btw: see interesting info about deletecollection
; suggests that whenever you give delete
, you should give deletecollection
permission too, if the resource supports it). API 参考文档的资源操作部分(例如https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/ )对它们进行了一些讨论,但没有提到
deletecollection
(顺便说一句:看到有趣的关于deletecollection
信息;建议无论何时您授予delete
权限,如果资源支持,您也应该授予deletecollection
权限)。
The Determine the Request Verb section of Authorization Overview does briefly mention deletecollection
, as well as a half a dozen more verbs (such as escalate
as pointed out rightfully by @RoryMcCune) which, unfortunately, do not show up in output of kubectl api-resources -o wide
command. 授权概述的确定请求动词部分确实简要提到了
deletecollection
,以及其他六个动词(例如@RoryMcCune 正确指出的escalate
),不幸的是,这些动词没有出现在kubectl api-resources -o wide
输出中kubectl api-resources -o wide
命令。
BTW the api-resources
command also lists the short names of commands, such as svc
for services
.顺便说一句,
api-resources
命令还列出了命令的短名称,例如svc
for services
。
A list of verbs can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes动词列表可以在这里找到https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes
and a brief description can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb可以在此处找到简要说明https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb
I have a role that I use for updating the docker image tag for deployments which looks like this (I don't use mine to create the deployment, just to patch the image tag)我有一个角色,用于更新部署的 docker 镜像标签,看起来像这样(我不使用我的来创建部署,只是为了修补镜像标签)
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: deployer
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "patch"]
On Linux/Mac/WSL/etc.在 Linux/Mac/WSL/等上。
Related to this, to know the full list of verbs for apiGroups and resources on your running cluster , including any additional one introduced with operators or CRD, you can do the following.与此相关,要了解apiGroups 的完整动词列表和正在运行的集群上的资源,包括通过运算符或 CRD 引入的任何其他动词,您可以执行以下操作。
Open in a terminal:在终端中打开:
kubectl proxy
Then on a different terminal, you can run:然后在不同的终端上,你可以运行:
# List all API urls
curl http://localhost:8001/ | yq '.paths[]'
# List all objects and verbs for an API path like /api/v1
curl http://localhost:8001/api/v1 | yq '.resources[] | [{"resources":.name,"verbs":.verbs}]'
If you want a script that lists all in a single place in a nice way, run this:如果您想要一个脚本以一种很好的方式在一个地方列出所有内容,请运行以下命令:
#!/bin/bash
# Remember to run on another terminal before this script:
# kubectl proxy
set -euo pipefail
# Show Kubernetes server version
echo -n '# '
kubectl version --short 2>/dev/null | grep 'Server'
for url in $(curl -s http://localhost:8001/ | yq '.paths[]' | xargs) ; do
[ "$url" == "/metrics" ] && continue
doc=$(curl -s http://localhost:8001$url)
# If URL doesn't publish info, skip
[ "$doc" == "ok" ] && continue
# Remove from apiGroup prefix (/, /api/v1, /apis/) and suffix ( /v1, /v1beta1)
apiGroup=$(echo $url | sed 's/\/api\/v1//' | sed 's/\/apis\///' | sed 's/^\///' | sed 's/\/v[0-9]*\(beta[0-9]\+\)\?$//' )
# Get permissions and format them nicely in YAML
yaml=$(echo "$doc" | yq -M '[.resources[] | {"apiGroups":["'$apiGroup'"], "resources":[.name],"verbs":.verbs}] | .. style="double" | .[].* style="flow"' 2>/dev/null ||:);
# TODO: group resources from the same apiGroup with the same verbs together
# If document is empty, skip it
[ "$yaml" == "[]" ] && continue
echo ""
echo "# $url"
echo "$yaml"
done
You can also find that script on this gist: https://gist.github.com/vicenteherrera/0bfe2762ecd5794eba65ed19d0d51188您还可以在这个要点上找到该脚本: https://gist.github.com/vicenteherrera/0bfe2762ecd5794eba65ed19d0d51188
When you execute it, you can save the output on a file:当你执行它时,你可以将 output 保存在一个文件中:
./list_verbs.sh >verbs.yaml
Here is a brief example of the output:以下是 output 的简要示例:
# /apis/templates.gatekeeper.sh/v1beta1
- apiGroups: ["templates.gatekeeper.sh"]
resources: ["constrainttemplates"]
verbs: ["delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"]
- apiGroups: ["templates.gatekeeper.sh"]
resources: ["constrainttemplates/status"]
verbs: ["get", "patch", "update"]
Then you can just copy and paste a YAML block from that file to your Kube.netes role, it already is in the format expected for the role.然后您可以从该文件复制 YAML 块并将其粘贴到您的 Kube.netes 角色,它已经是该角色预期的格式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.