[英]AKS RBAC - Rolebinding has no effect
I'm setting up RBAC in my AKS cluster which is integrated with Azure AD following the instructions here .我正在按照此处的说明在与 Azure AD 集成的 AKS 群集中设置 RBAC。 I have created an AD group in my AAD tenant, added a user to it.我在我的 AAD 租户中创建了一个 AD 组,向其中添加了一个用户。 Then the group is assigned "Cluster User role" in the AKS cluster as per the instructions.然后,按照说明在 AKS 群集中为该组分配“群集用户角色”。 Created a Role and Rolebinding as shown below:创建了一个角色和角色绑定,如下所示:
Role:角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: development
name: restricted-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
RoleBinding:角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: development
subjects:
- kind: Group
name: 308f50cb-e05a-4340-99d4-xxxxxxxb
apiGroup: rbac.authorization.k8s.io
namespace: development
roleRef:
kind: Role
name: restricted-role
apiGroup: rbac.authorization.k8s.io
I then tried login using the new user credentials:然后我尝试使用新用户凭据登录:
az login --username kubeuser@xxx.onmicrosoft.com --password xxxx
az aks get-credentials --name mycluster --resource-group myrg --overwrite-existing
As per the documentation, I should be only allowed to do kubectl get pods on the development namespace.根据文档,我应该只被允许在开发命名空间上执行 kubectl get pods。 However, using this new user credentials, I see that I can do kubectl get pods --all-namespaces, kubectl get svc --all-namespaces etc. and view the results, as if the Rolebinding does not have any impact at all.但是,使用这个新用户凭据,我发现我可以执行 kubectl get pods --all-namespaces、kubectl get svc --all-namespaces 等操作并查看结果,就好像 Rolebinding 根本没有任何影响一样。 I also have verified by checking that my cluster has我还通过检查我的集群是否有验证
"enableRBAC": true “启用RBAC”:真
Can someone please tell me what is wrong with this configuration?有人可以告诉我这个配置有什么问题吗?
Using the command:使用命令:
az aks show -g <rg> -n <clusterName> --query aadProfile
you can confirm if the cluster is AAD enabled.您可以确认集群是否启用了 AAD。 If enabled, the kubeconfig
file you get from:如果启用,您从以下位置获得的kubeconfig
文件:
az aks get-credentials -g <rg_name> -n <aks_name>
should look like:应该看起来像:
user:
auth-provider:
config:
apiserver-id: <appserverid>
client-id: <clientid>
environment: AzurePublicCloud
tenant-id: <tenant>
name: azure
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.