如何调试或分析 Kubernetes RBAC 规则动词和 Api 组
[英]How to debug or analyze Kubernetes RBAC rule verbs and Api Groups
问题描述
How can I debug all Rules with their Verbs and ApiGroups for a kubernetes ServiceAccount ?
如何使用 kubernetes ServiceAccount的Verbs和ApiGroups调试所有Rules ?
2 个解决方案
解决方案1
2 已采纳 2021-01-04 07:55:51
kubectl supports testing the RBAC rights for a particular Service Account with the auth can-i sub-command. kubectl支持使用auth can-i子命令测试特定服务帐户的 RBAC 权限。 The syntax looks as follows:语法如下所示:
kubectl auth can-i -n --as system:serviceaccount:<namespace>:<serviceaccount> <verb> <resource>
For example:例如:
kubectl auth can-i --as system:serviceaccount:default:my-serviceaccount create deployments
解决方案2
1 2021-01-03 11:50:00
k9s offer some nice views for this task: k9s为这个任务提供了一些不错的视图:
1. Find Role Bindings 1.查找角色绑定
First you have to find the ClusterRoleBindings or RoleBindings for a ServiceAccount:首先,您必须找到 ServiceAccount 的 ClusterRoleBindings 或 RoleBindings:
- Type
:andclusterrolebindingsorrolebindings类型:和clusterrolebindings或rolebindings - Search for your ServiceAccount by
/and name of ServiceAccount (egmonitor-kube-prometheus-st-operator)通过/和 ServiceAccount 的名称搜索您的 ServiceAccount(例如monitor-kube-prometheus-st-operator) - Now k9s lists all
(Cluster)RoleBindings现在k9s列出了所有(Cluster)RoleBindings
2. Display Role Bindings 2.显示角色绑定
- Open
(Cluster)RoleBindings打开(Cluster)RoleBindings - All given and forbidden rules are displayed:显示所有给定和禁止的规则:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.