[英]How can I check for “exec” authorization using `kubectl auth can-i`?
How can I check for exec
authorization using kubectl auth can-i...
?如何使用
kubectl auth can-i...
检查exec
授权?
While get
, create
, delete
, etc. are considered verbs, exec
is not, as shown below:虽然
get
、 create
、 delete
等被认为是动词,但exec
不是,如下所示:
$ kubectl --kubeconfig=config-prod.yml auth can-i exec po
Warning: verb 'exec' is not a known verb
yes
Is exec
authorization included in another authorization, like create
? exec
授权是否包含在另一个授权中,例如create
?
Usually when someone is creating RBAC rules and wants to check which verbs
are available for resource using:通常当有人创建RBAC规则并想要检查哪些
verbs
可用于资源时,使用:
$ kubectl api-resources -o wide | grep pods
pods po v1 true Pod [create delete deletecollection get list patch update watch]
However it's not all.然而,这还不是全部。 If you will use bit different approach like below:
如果您将使用不同的方法,如下所示:
$ kubectl proxy &
Starting to serve on 127.0.0.1:8001
curl http://localhost:8001/api/v1
{
"kind": "APIResourceList",
"groupVersion": "v1",
"resources": [
{
...
### You will be able to find `pods` and verbs which can be used with pods
{
"name": "pods",
"singularName": "",
"namespaced": true,
"kind": "Pod",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
],
"shortNames": [
"po"
### But also `pod/exec` and `pod/logs`
{
"name": "pods/exec",
"singularName": "",
"namespaced": true,
"kind": "PodExecOptions",
"verbs": [
"create",
"get"
]
},
{
"name": "pods/log",
"singularName": "",
"namespaced": true,
"kind": "Pod",
"verbs": [
"get"
]
In Using RBAC Authorization - Referring to resources you can find information about subresource
.在使用 RBAC 授权 - 参考资源中,您可以找到有关
subresource
资源的信息。
In the Kubernetes API, most resources are represented and accessed using a string representation of their object name, such as pods for a Pod.
在 Kubernetes API 中,大多数资源都使用其 object 名称的字符串表示形式来表示和访问,例如 Pod 的 pod。 RBAC refers to resources using exactly the same name that appears in the URL for the relevant API endpoint.
RBAC 指的是使用与相关 API 端点的 URL 中出现的完全相同的名称的资源。 Some Kubernetes APIs involve a subresource, such as the logs for a Pod
一些 Kubernetes API 涉及子资源,例如 Pod 的日志
In this Documentation, you have an example with pods/logs
but a similar situation is for pods/exec
.在本文档中,您有一个
pods/logs
示例,但pods/exec
也有类似的情况。
If you will use command:如果您将使用命令:
$ kubectl auth can-i create pods/exec
yes
$ kubectl auth can-i get pods/exec
yes
## Or
$ kubectl auth can-i get pods --subresource=exec
yes
$ kubectl auth can-i create pods --subresource=exec
yes
Above outputs don't include Warning
as I used verbs
( get
and create
) from pods/exec
.以上输出不包括
Warning
,因为我使用了pods/exec
中的verbs
( get
和create
)。 So that's the correct syntax, use verb
and then subresource
.所以这是正确的语法,使用
verb
,然后使用subresource
。
Why are both outputs yes
?为什么两个输出都是
yes
? I used an admin role.我使用了管理员角色。
If you want to make some tests you can create ServiceAccount
(test), Role
and RoleBinding
.如果您想进行一些测试,您可以创建
ServiceAccount
(test)、 Role
和RoleBinding
。 Role
yamls below: Role
yamls如下:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-view-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-exec-view-role
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get"]
Outputs of auth can-i
: auth can-i
的输出:
$ kubectl auth can-i create pods/exec --as=system:serviceaccount:default:test
no
$ kubectl auth can-i get pods/exec --as=system:serviceaccount:default:test
yes
About the difference between create pods/exec
and get pods/exec
you can check github thread Users can exec into pods with the websocket endpoint even without pods/exec create
privileges .关于
create pods/exec
和get pods/exec
之间的区别,您可以查看 github 线程即使没有pods/exec create
权限,用户也可以使用 websocket 端点执行到 pod 中。 Especially in @liggitt comment :特别是在@liggitt 评论中:
So the verb used with the pods/exec subresource is just supposed to indicate what HTTP method is used with that API endpoint?
因此,与 pods/exec 子资源一起使用的动词应该只是表明 HTTP 方法与该 API 端点一起使用?
That is how all the resource verbs work (with get mapping to specific verbs in the special cases list and watch).这就是所有资源动词的工作方式(get 映射到特殊情况列表和观察中的特定动词)。 See https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb
请参阅https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb
So an admin building an RBAC role is expected to look at the code and figure out which HTTP methods are supported for the websocket exec endpoint?
因此,构建 RBAC 角色的管理员应该查看代码并找出 websocket exec 端点支持哪些 HTTP 方法?
No, the subresources and associated verbs should be included in the API doc.不,子资源和相关动词应包含在 API 文档中。 That would be worth an issue against https://github.com/kubernetes/website/issues/ to fix the generator to pick up those subresources
这对于https://github.com/kubernetes/website/issues/来说是值得的,以修复生成器以获取这些子资源
Hope it answered your question.希望它回答了你的问题。 If you still have questions, let me know.
如果您仍有疑问,请告诉我。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.