用于访问所有命名空间的 Kubernetes 服务帐户

Question

I am trying to access all the namespaces and pods from my another pod. So, I have created clusterrole, clusterrolebinding and service account. I am able access the only customer namespace resources. But I need to access all the namespace resources. Is it possible?

apiVersion: v1
kind: ServiceAccount
metadata:
  name: spinupcontainers
  namespace: customer

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: spinupcontainers
  namespace: customer
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/exec"]
    verbs: ["get", "list", "delete", "patch", "create"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: spinupcontainers
  namespace: customer
subjects:
  - kind: ServiceAccount
    name: spinupcontainers
roleRef:
  kind: ClusterRole
  name: spinupcontainers
  apiGroup: rbac.authorization.k8s.io

Could anyone help to resolve this problem?

Thanks in advance

Answer 1

It seems in your YAML example you are using a RoleBinding as opposed to a ClusterRoleBinding . A RoleBinding only grants those permissions inside of a namespace. See also the Kubernetes Documentation on this topic :

A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.

Answer 2

at the first you should create service for your deployments and for example if the name of the service is test-service and it run in the test namespace you should communicate with this service like test-service.test . in kubedns test-service.test will resolve to ip and you can communicate with service in other namespace

Answer 3

Most important thing is that you have to connect your service account to your cluster role with proper cluster role binding. Because binding types decide that scope of service account abilities. Under these circumstances, you have to describe cluster role binding as shown below;

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: spinupcontainers
subjects:
- kind: ServiceAccount
  name: spinupcontainers
  namespace: customer
roleRef:
  kind: ClusterRole
  name: spinupcontainers
  apiGroup: "rbac.authorization.k8s.io"

If you want to test this within the pod you would describe respective service account for pod like below:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: busybox
  name: busybox
spec:
  containers:
  - args:
    - sleep
    - "4800"
    image: busybox:1.28
    name: busybox
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Never
  serviceAccountName: default
status: {}

And then finally you need to ssh to pod and can execute proper curl command with using service account token. Do not forget that you can find the token file in pod by defined service account to pod yaml before (in /var/run/secrets/kubernetes.io/serviceaccount). After that you have to execute API call to use kubernetes API server service (ıf you used kubeadm to create the cluster. It has been already defined in default namespace as named kubernetes). In the below, you can find proper apı call to get default namespace secrets

    curl -k -H "Authorization: Bearer $TOKEN" https://<kubernetes-apı-fqdn>/api/v1/namespaces/default/secrets