[英]Kubernetes service account to access all the namespaces
I am trying to access all the namespaces and pods from my another pod.我正在尝试从我的另一个 pod 访问所有命名空间和 pod。 So, I have created clusterrole, clusterrolebinding and service account.
因此,我创建了 clusterrole、clusterrolebinding 和 service account。 I am able access the only customer namespace resources.
我能够访问唯一的客户命名空间资源。 But I need to access all the namespace resources.
但我需要访问所有命名空间资源。 Is it possible?
是否可以?
apiVersion: v1
kind: ServiceAccount
metadata:
name: spinupcontainers
namespace: customer
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spinupcontainers
namespace: customer
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["get", "list", "delete", "patch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: spinupcontainers
namespace: customer
subjects:
- kind: ServiceAccount
name: spinupcontainers
roleRef:
kind: ClusterRole
name: spinupcontainers
apiGroup: rbac.authorization.k8s.io
Could anyone help to resolve this problem?任何人都可以帮助解决这个问题吗?
Thanks in advance提前致谢
It seems in your YAML example you are using a RoleBinding
as opposed to a ClusterRoleBinding
.在您的 YAML 示例中,您似乎使用的是
RoleBinding
而不是ClusterRoleBinding
。 A RoleBinding
only grants those permissions inside of a namespace. RoleBinding
仅授予命名空间内的这些权限。 See also the Kubernetes Documentation on this topic :另请参阅有关此主题的Kubernetes 文档:
A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.
RoleBinding 授予特定命名空间内的权限,而 ClusterRoleBinding 授予该访问集群范围的权限。
at the first you should create service for your deployments and for example if the name of the service is test-service and it run in the test namespace you should communicate with this service like test-service.test .首先,您应该为您的部署创建服务,例如,如果服务的名称是 test-service 并且它在 test 命名空间中运行,您应该与该服务通信,例如 test-service.test 。 in kubedns test-service.test will resolve to ip and you can communicate with service in other namespace
在 kubedns test-service.test 将解析为 ip,您可以与其他命名空间中的服务通信
Most important thing is that you have to connect your service account to your cluster role with proper cluster role binding.最重要的是,您必须使用适当的集群角色绑定将您的服务帐户连接到您的集群角色。 Because binding types decide that scope of service account abilities.
因为绑定类型决定了服务帐户能力的范围。 Under these circumstances, you have to describe cluster role binding as shown below;
在这些情况下,您必须描述集群角色绑定,如下所示;
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spinupcontainers
subjects:
- kind: ServiceAccount
name: spinupcontainers
namespace: customer
roleRef:
kind: ClusterRole
name: spinupcontainers
apiGroup: "rbac.authorization.k8s.io"
If you want to test this within the pod you would describe respective service account for pod like below:如果你想在 pod 中测试这个,你可以描述 pod 的相应服务帐户,如下所示:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: busybox
name: busybox
spec:
containers:
- args:
- sleep
- "4800"
image: busybox:1.28
name: busybox
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Never
serviceAccountName: default
status: {}
And then finally you need to ssh to pod and can execute proper curl command with using service account token.最后,您需要通过 ssh 连接到 pod,并且可以使用服务帐户令牌执行正确的 curl 命令。 Do not forget that you can find the token file in pod by defined service account to pod yaml before (in /var/run/secrets/kubernetes.io/serviceaccount).
不要忘记你可以通过定义的服务帐户到 pod yaml 之前(在 /var/run/secrets/kubernetes.io/serviceaccount 中)找到 pod 中的令牌文件。 After that you have to execute API call to use kubernetes API server service (ıf you used kubeadm to create the cluster. It has been already defined in default namespace as named kubernetes).
之后,您必须执行 API 调用才能使用 kubernetes API 服务器服务(如果您使用 kubeadm 创建集群。它已经在默认命名空间中定义为名为 kubernetes)。 In the below, you can find proper apı call to get default namespace secrets
在下面,您可以找到适当的 apı 调用来获取默认命名空间机密
curl -k -H "Authorization: Bearer $TOKEN" https://<kubernetes-apı-fqdn>/api/v1/namespaces/default/secrets
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.