如何以只读模式访问 Microk8s?
[英]How can I access Microk8s in Read only mode?
问题描述
I would like to read state of K8s using µK8s, but I don't want to have rights to modify anything.
我想使用 µK8s 阅读 K8s 的 state,但我不想拥有修改任何内容的权利。 How to achieve this?如何做到这一点?
The following will give me full access:以下将为我提供完全访问权限:
microk8s.kubectl Insufficient permissions to access MicroK8s. You can either try again with sudo or add the user digital to the 'microk8s' group:
sudo usermod -a -G microk8s digital sudo chown -f -R digital ~/.kube
The new group will be available on the user's next login.
1 个解决方案
解决方案1
1 已采纳 2021-06-01 09:23:51
on Unix/Linux we can just set appropriate file/directory access permission - just
rx, decrease shell limits (like max memory/open file descriptors), decrease process priority (nice -19).rx,降低 shell 限制(如最大内存/打开文件描述符),降低进程优先级(nice -19)。 We are looking for similar solution for K8S
This kind of solutions in Kubernetes are handled via RBAC (Role-based access control). Kubernetes 中的这种解决方案是通过RBAC (基于角色的访问控制)处理的。 RBAC prevents unauthorized users from viewing or modifying the cluster state. RBAC 可防止未经授权的用户查看或修改集群 state。 Because the API server exposes a REST interface, users perform actions by sending HTTP requests to the server.由于 API 服务器公开了一个 REST 接口,用户通过向服务器发送 HTTP 请求来执行操作。 Users authenticate themselves by including credentials in the request (an authentication token, username and password, or a client certificate).用户通过在请求中包含凭据(身份验证令牌、用户名和密码或客户端证书)来验证自己。
As for REST clients you get GET , POST , PUT , DELETE etc. These are send to specific URL paths that represents specific REST API resources (Pods, Services, Deployments and so). As for REST clients you get GET , POST , PUT , DELETE etc. These are send to specific URL paths that represents specific REST API resources (Pods, Services, Deployments and so).
RBAC auth is configured with two groups: RBAC auth 配置有两个组:
- Roles and ClusterRoles - this specify which actions/verbs can be performed Roles 和 ClusterRoles - 这指定可以执行哪些动作/动词
- RoleBinding and ClusterRoleBindings - this bind the above roles to a user, group or service account. RoleBinding 和 ClusterRoleBindings - 这会将上述角色绑定到用户、组或服务帐户。
As you might already find out the ClusterRole is the one your might be looking for.您可能已经发现ClusterRole是您可能正在寻找的角色。 This will allow to restrict specific user or group against the cluster.这将允许针对集群限制特定用户或组。 In the example below we are creating ClusterRole that can only list pods.在下面的示例中,我们正在创建只能列出 pod 的ClusterRole 。 The namespace is omitted since ClusterRoles are not namepsaced.命名空间被省略,因为 ClusterRoles 没有命名空间。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-viewer
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
This permission has to be bound then via ClusterRoleBinding :然后必须通过ClusterRoleBinding绑定此权限:
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to list pods in any namespace.
kind: ClusterRoleBinding
metadata:
name: list-pods-global
subjects:
- kind: Group
name: manager # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: pod-viewer
apiGroup: rbac.authorization.k8s.io
Because you don't have the enough permissions on your own you have to reach out to appropriate person who manage those to create user for you that has the ClusterRole: View .因为您自己没有足够的权限,所以您必须联系管理这些权限的适当人员,以便为您创建具有ClusterRole: View的用户。 View role should be predefined already in cluster ( kubectl get clusterrole view )视图角色应该已经在集群中预定义( kubectl get clusterrole view )
If you wish to read more Kubernetes docs explains well its whole concept of authorization.如果您想阅读更多Kubernetes 文档,可以很好地解释其整个授权概念。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.