[英]get vs. list in Kubernetes RBAC
What is the difference between the get
and list
RBAC verbs? get
和list
RBAC 动词有什么区别?
All I could find in the the documentation is this: "get (for individual resources), list (for collections, including full object content)", which I find severely lacking.我在文档中只能找到:“获取(对于单个资源),列表(对于 collections,包括完整的 object 内容)”,我发现严重缺乏。 Is
list
a superset of get
, meaning if you have list
permissions can you fetch all the information from get
and more? list
是get
的超集,这意味着如果您具有list
权限,您可以从get
获取所有信息等等吗? While we're at it, what about watch
?当我们在它的时候,
watch
呢? Does it only give permissions to read the change stream but not full object?它是否只授予读取更改 stream 而不是完整 object 的权限?
In practice, you can get all of the information you'd normally get out of get
calls through list
calls.在实践中,您可以通过
list
调用获得通常从get
调用中获得的所有信息。 However, having permission to list
a resource doesn't mean get
calls will work.但是,拥有
list
资源的权限并不意味着get
调用会起作用。 You still have to use list
calls and extract the information that way.您仍然必须使用
list
调用并以这种方式提取信息。
watch
is a special verb that gives you permission to see updates on resources in real time. watch
是一个特殊的动词,它允许您实时查看资源的更新。 Having watch
access without list
or get
is not very helpful because you won't be able to view the resource after it updates.没有
list
或get
的watch
访问不是很有帮助,因为更新后您将无法查看资源。 Through kubectl
, I was unable to watch a resource without having the get
access to that resource.通过
kubectl
,我无法在get
访问该资源的情况下观看该资源。
To play around with these roles, I'd recommend messing around with roles in a Kubernetes cluster on Katacoda .要玩弄这些角色,我建议在 Katacoda 上的Kubernetes集群中玩弄角色。
Initial setup to make roles and grant them to (fake) users:初始设置以创建角色并将其授予(假)用户:
kubectl create role deployment-getter --verb=get --resource=deployment
kubectl create role deployment-lister --verb=list --resource=deployment
kubectl create role deployment-watcher --verb=watch --resource=deployment
kubectl create rolebinding only-get --role=deployment-getter --user=only-get
kubectl create rolebinding only-list --role=deployment-lister--user=only-list
kubectl create rolebinding only-watch --role=deployment-watcher--user=only-list
kubectl run nginx --image=nginx # Make a resource to look at
Then you can run kubectl
commands as one of the special users to see what limited RBAC permissions look like.然后,您可以作为特殊用户之一运行
kubectl
命令,以查看受限 RBAC 权限是什么样的。
For example, the following commands show that we can only list resources with the list
verb.例如,以下命令表明我们只能使用
list
动词列出资源。
kubectl get deployment --as list-only # Prints out nginx deployment
kubectl get deployment --as get-only # RBAC error
kubectl get deployment --as watch-only # RBAC error
And this example shows that we can only get resources with the get
verb (but you can get similar information by listing resources too).这个例子表明我们只能通过
get
动词来获取资源(但你也可以通过列出资源来获取类似的信息)。
kubectl get deployment nginx --as get-only -o yaml
# apiVersion: extensions/v1beta1
# kind: Deployment
# ...
kubectl get deployment nginx --as list-only -o yaml # RBAC error
kubectl get deployment --as list-only -o yaml
# apiVersion: v1
# kind: List
# items:
# - apiVersion: extensions/v1beta1
# kind: Deployment
# ...
The get
, list
, and watch
RBAC verbs grant permissions for different Kubernetes API operations. get
、 list
和watch
RBAC 动词为不同的 Kubernetes API 操作授予权限。
You can see the corresponding API operations for each object in the Kubernetes API reference , for example, here for the Deployment .您可以在 Kubernetes ZDB974238714CA8DE634A7CE1D08 中查看每个 object 中对应的API操作,以供参考。
Here are some examples:这里有些例子:
get
If you have the get
permissions on the Deployment resource, you are allowed to execute the following API request:如果您对 Deployment 资源具有
get
权限,则可以执行以下 API 请求:
GET /apis/apps/v1/namespaces/{namespace}/deployments/{name}
It returns the manifest of a specific Deployment.它返回特定部署的清单。
list
If you have the list
permission, you are allowed to execute these API requests:如果您拥有
list
权限,则可以执行这些 API 请求:
GET /apis/apps/v1/namespaces/{namespace}/deployments
GET /apis/apps/v1/deployments
They both return a list of manifests of Deployments.它们都返回一个部署清单列表。 The former, of all Deployments in a specific namespace, and the latter of all Deployments across all namespaces.
前者是特定命名空间中的所有部署,后者是跨所有命名空间的所有部署。
watch
If you have the watch
permission, you are allowed to execute these API requests:如果你有
watch
权限,你可以执行这些 API 请求:
GET /apis/apps/v1/deployments?watch=true
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments?watch=true
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments/{name} [DEPRECATED]
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments [DEPRECATED]
GET /apis/apps/v1/watch/deployments [DEPRECATED]
They open a streaming connection that returns you the full manifest of a Deployment whenever it changes (or when a new one is created).它们会打开一个流连接,当 Deployment 发生变化时(或创建新的时),它会返回您的完整清单。
Note that the latter three API endpoints are deprecated, and you should use the endpoints for the list
operation with a watch=true
parameter instead.请注意,后三个 API 端点已被弃用,您应该使用带有
watch=true
参数的list
操作端点。 However, this still triggers the watch
API operation and not list
.但是,这仍然会触发
watch
API 操作而不是list
。
Note 1注1
Commands like kubectl get
, kubectl list
, etc. just executes these API requests under the hood. kubectl get
、 kubectl list
等命令只是在后台执行这些 API 请求。 For experimentation, you can execute these API requests directly.对于实验,您可以直接执行这些 API 请求。
For example, first do:例如,首先执行:
kubectl proxy
And then:接着:
curl localhost:8001/apis/apps/v1/deployments?watch=true
Or, you can also use this (doesn't require kubectl proxy
):或者,您也可以使用它(不需要
kubectl proxy
):
kubectl get --raw="/apis/apps/v1/deployments?watch=true"
Note 2笔记2
In general, the permission don't imply each other.一般来说,许可并不相互暗示。 For example, if you have
list
permissions, it doesn't mean you can do get
or watch
requests, and if you have watch
permissions, it doesn't mean you can do get
or list
requests.例如,如果您具有
list
权限,并不意味着您可以执行get
或watch
请求,如果您具有watch
权限,并不意味着您可以执行get
或list
请求。
Note 3注3
If you have only watch
permissions (but not get
and list
), you can't watch with kubectl ( kubectl get deployment -w
) because kubectl makes a get
and list
request, respectively, before the watch
request (to get the resource versions of the watched resources).如果您只有
watch
权限(但没有get
和list
),则无法使用 kubectl ( kubectl get deployment -w
) 进行观看,因为 kubectl 在watch
请求之前分别发出get
和list
请求(以获取资源版本观看的资源)。
More examples in this answer .此答案中有更多示例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.