堆栈内存溢出
  简体   繁体   English

如何在 Kubernetes 中创建一个没有权限的服务帐户?

[英]How to create a service account with no permissions in Kubernetes?

 原文  2020-03-18 15:19:58       kubernetes

问题描述

I want to create a serviceaccount in Kubernetes with no permissions.我想在 Kubernetes 中创建一个没有权限的serviceaccount

However, creating a new serviceaccount as follows results in a privileged serviceaccount , sa , that is able to eg retrieve pod information:但是,如下创建一个新的serviceaccount产生一个特权serviceaccountsa ,它能够例如检索 pod 信息:

kubectl create serviceaccount sa -n devns

nlykkei:~/projects/k8s-examples$ kubectl get pods --as=system:serviceaccount:devns:sa -v6
I0318 16:12:34.161300    3466 loader.go:359] Config loaded from file:  /Users/nlykkei/.kube/config
I0318 16:12:34.179023    3466 round_trippers.go:438] GET https://kubernetes.docker.internal:6443/api/v1/namespaces/default/pods?limit=500 200 OK in 11 milliseconds
I0318 16:12:34.179299    3466 get.go:564] no kind "Table" is registered for version "meta.k8s.io/v1beta1" in scheme "k8s.io/kubernetes/pkg/api/legacyscheme/scheme.go:30"
No resources found.

nlykkei:~/projects/k8s-examples$ kubectl auth can-i --list --as=system:serviceaccount:devns:sa
Resources                                       Non-Resource URLs   Resource Names   Verbs
*.*                                             []                  []               [*]
                                                [*]                 []               [*]
selfsubjectaccessreviews.authorization.k8s.io   []                  []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                  []               [create]
                                                [/api/*]            []               [get]
                                                [/api]              []               [get]
                                                [/apis/*]           []               [get]
                                                [/apis]             []               [get]
                                                [/healthz]          []               [get]
                                                [/healthz]          []               [get]
                                                [/openapi/*]        []               [get]
                                                [/openapi]          []               [get]
                                                [/version/]         []               [get]
                                                [/version/]         []               [get]
                                                [/version]          []               [get]
                                                [/version]          []               [get]

How can I create a serviceaccount with no permissions initially?如何创建一个serviceaccount没有权限最初?

1 个解决方案

解决方案1
 1  2020-03-19 05:07:32

DfM Kubernetes 注入了一个名为 docker-for-desktop-binding 的 ClusterRoleBinding,它确实为所有东西提供了所有权限。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 kube.netes 服务账号权限 - kubernetes service account permissions Kubernetes 服务帐号默认权限 - Kubernetes service account default permissions 如何将 RBAC 权限分配给系统:Kubernetes 中的匿名服务帐户? - How to assign RBAC permissions to system:anonymous service account in Kubernetes? 为Secrets授予Kubernetes服务帐户权限? - Granting a Kubernetes Service Account permissions for Secrets? 如何使用 Kubernetes 版本 1.24 为服务帐户创建密钥 - How to create a secret for service account using Kubernetes version 1.24 如何为 kubernetes 集群中的所有命名空间创建服务帐户? - how can I create a service account for all namespaces in a kubernetes cluster? 如何删除kubernetes中的服务帐户? - How to delete a service account in kubernetes? 新的 Kubernetes 服务帐户似乎具有集群管理员权限 - New Kubernetes service account appears to have cluster admin permissions 如何防止滥用kubernetes服务帐户 - How to prevent misuse of kubernetes service account 如何验证Kubernetes服务帐户令牌(JWT) - How to verify Kubernetes service account token (JWT)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM