Kubernetes RBAC“由 RoleBinding 允许”但“无法列出资源”
[英]Kubernetes RBAC "Allowed by RoleBinding" but "cannot list resource"
问题描述
I'm deploying an application to my Kubernetes cluster that uses the Kubernetes API to list the pods in the cluster (not only the ones in its namespace).
我正在向我的 Kubernetes 集群部署一个应用程序,该应用程序使用 Kubernetes API 列出集群中的 pod(不仅是其命名空间中的 pod)。 The application will live in its own namespace.该应用程序将位于其自己的命名空间中。
The RBAC rules are as follows; RBAC 规则如下;
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kubecontrol-rbac-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: kubecontrol-rbac-role-binding
namespace: kubecontrol
subjects:
- kind: ServiceAccount
namespace: kubecontrol
name: default
roleRef:
kind: ClusterRole
name: kubecontrol-rbac-role
apiGroup: rbac.authorization.k8s.io
As you can see I have a ClusterRole, that grants "list", "get" and "watch" permissions on the "pods" resource, and a RoleBinding that applies this ClusterRole to the default ServiceAccount for the namespace.如您所见,我有一个 ClusterRole,它授予对“pods”资源的“list”、“get”和“watch”权限,以及一个 RoleBinding 将此 ClusterRole 应用于命名空间的default ServiceAccount。
When I check the authorisation with kubectl auth can-in , this configuration would appear to be correct;当我使用kubectl auth can-in检查授权时,这个配置看起来是正确的;
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods
yes
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods --v=8
...
I0326 23:17:05.125188 56505 request.go:947] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"kubecontrol","verb":"list","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"kubecontrol-rbac-role-binding/kubecontrol\" of ClusterRole \"kubecontrol-rbac-role\" to ServiceAccount \"default/kubecontrol\""}}
RBAC: allowed by RoleBinding "kubecontrol-rbac-role-binding/kubecontrol" of ClusterRole "kubecontrol-rbac-role" to ServiceAccount "default/kubecontrol"
However, when I actually try to perform the operation, I get told I'm not allowed to do so;但是,当我实际尝试执行操作时,却被告知不允许这样做;
$ kubectl get pod --as=system:serviceaccount:kubecontrol:default --all-namespaces
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kubecontrol:default" cannot list resource "pods" in API group "" at the cluster scope
I see the same error message in my application.我在我的应用程序中看到相同的错误消息。
The user ( system:serviceaccount:kubecontrol:default ) is identical in both scenarios, so why am I not able to list pods even though according to Kubernetes itself I should be able to?用户( system:serviceaccount:kubecontrol:default )在两种情况下都是相同的,那么为什么我不能列出 pod,即使根据 Kubernetes 本身我应该能够列出? Is there something I'm missing?有什么我想念的吗?
1 个解决方案
解决方案1
3 已采纳 2020-03-26 23:51:51
With --all-namespaces you list the pods in all namespaces of the cluster.使用--all-namespaces可以列出集群所有命名空间中的 pod。 But since you used only RoleBinding , you have the rights from the ClusterRole only for given namespace (in your case namespace kubecontrol ).但是由于您只使用了RoleBinding ,因此您仅对给定的命名空间(在您的情况下命名空间kubecontrol )拥有来自ClusterRole的权限。 You have to use ClusterRoleBinding instead to give you the ClusterRole for the whole cluster.您必须使用ClusterRoleBinding来为您提供整个集群的ClusterRole 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.