如何使用“kubectl auth can-i”检查“exec”授权?
[英]How can I check for “exec” authorization using `kubectl auth can-i`?
问题描述
How can I check for exec authorization using kubectl auth can-i... ?
如何使用kubectl auth can-i...检查exec授权?
While get , create , delete , etc. are considered verbs, exec is not, as shown below:虽然get 、 create 、 delete等被认为是动词,但exec不是,如下所示:
$ kubectl --kubeconfig=config-prod.yml auth can-i exec po
Warning: verb 'exec' is not a known verb
yes
Is exec authorization included in another authorization, like create ? exec授权是否包含在另一个授权中,例如create ?
1 个解决方案
解决方案1
2 已采纳 2021-03-11 15:29:19
Usually when someone is creating RBAC rules and wants to check which verbs are available for resource using:通常当有人创建RBAC规则并想要检查哪些verbs可用于资源时,使用:
$ kubectl api-resources -o wide | grep pods
pods po v1 true Pod [create delete deletecollection get list patch update watch]
However it's not all.然而,这还不是全部。 If you will use bit different approach like below:如果您将使用不同的方法,如下所示:
$ kubectl proxy &
Starting to serve on 127.0.0.1:8001
curl http://localhost:8001/api/v1
{
"kind": "APIResourceList",
"groupVersion": "v1",
"resources": [
{
...
### You will be able to find `pods` and verbs which can be used with pods
{
"name": "pods",
"singularName": "",
"namespaced": true,
"kind": "Pod",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
],
"shortNames": [
"po"
### But also `pod/exec` and `pod/logs`
{
"name": "pods/exec",
"singularName": "",
"namespaced": true,
"kind": "PodExecOptions",
"verbs": [
"create",
"get"
]
},
{
"name": "pods/log",
"singularName": "",
"namespaced": true,
"kind": "Pod",
"verbs": [
"get"
]
In Using RBAC Authorization - Referring to resources you can find information about subresource .在使用 RBAC 授权 - 参考资源中,您可以找到有关subresource资源的信息。
In the Kubernetes API, most resources are represented and accessed using a string representation of their object name, such as pods for a Pod.
In this Documentation, you have an example with pods/logs but a similar situation is for pods/exec .在本文档中,您有一个pods/logs示例,但pods/exec也有类似的情况。
If you will use command:如果您将使用命令:
$ kubectl auth can-i create pods/exec
yes
$ kubectl auth can-i get pods/exec
yes
## Or
$ kubectl auth can-i get pods --subresource=exec
yes
$ kubectl auth can-i create pods --subresource=exec
yes
Above outputs don't include Warning as I used verbs ( get and create ) from pods/exec .以上输出不包括Warning ,因为我使用了pods/exec中的verbs ( get和create )。 So that's the correct syntax, use verb and then subresource .所以这是正确的语法,使用verb ,然后使用subresource 。
Why are both outputs yes ?为什么两个输出都是yes ? I used an admin role.我使用了管理员角色。
If you want to make some tests you can create ServiceAccount (test), Role and RoleBinding .如果您想进行一些测试,您可以创建ServiceAccount (test)、 Role和RoleBinding 。 Role yamls below: Role yamls如下:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-view-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-exec-view-role
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get"]
Outputs of auth can-i : auth can-i的输出:
$ kubectl auth can-i create pods/exec --as=system:serviceaccount:default:test
no
$ kubectl auth can-i get pods/exec --as=system:serviceaccount:default:test
yes
About the difference between create pods/exec and get pods/exec you can check github thread Users can exec into pods with the websocket endpoint even without pods/exec create privileges .关于create pods/exec和get pods/exec之间的区别,您可以查看 github 线程即使没有pods/exec create权限,用户也可以使用 websocket 端点执行到 pod 中。 Especially in @liggitt comment :特别是在@liggitt 评论中:
So the verb used with the pods/exec subresource is just supposed to indicate what HTTP method is used with that API endpoint?
That is how all the resource verbs work (with get mapping to specific verbs in the special cases list and watch).这就是所有资源动词的工作方式(get 映射到特殊情况列表和观察中的特定动词)。 See https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb请参阅https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb
So an admin building an RBAC role is expected to look at the code and figure out which HTTP methods are supported for the websocket exec endpoint?
No, the subresources and associated verbs should be included in the API doc.不,子资源和相关动词应包含在 API 文档中。 That would be worth an issue against https://github.com/kubernetes/website/issues/ to fix the generator to pick up those subresources这对于https://github.com/kubernetes/website/issues/来说是值得的,以修复生成器以获取这些子资源
Hope it answered your question.希望它回答了你的问题。 If you still have questions, let me know.如果您仍有疑问,请告诉我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.