[英]Limit/Controlled kubectl exec command
I am still bit of kube.netes newbe.我还是 kube.netes 的新手。 But I am looking for a way to give developers controlled access to kubectl exec command.但我正在寻找一种方法,让开发人员可以控制对 kubectl exec 命令的访问。 I want to give them run most of the read-only command but prevent some high risk command and also prevent interactive download/install etc. Also want to log all their action during sessions for audit purpose.我想让他们运行大部分只读命令,但阻止一些高风险命令,并阻止交互式下载/安装等。还想在会话期间记录他们的所有操作以供审计。
I am not seeing any straight forward way to do it using rbac.我没有看到任何使用 rbac 的直接方法。 Also not seeing those options in rancher either.也没有在牧场主中看到这些选项。 I am looking for some guidance and direction to achieve such capability.我正在寻找一些指导和方向来实现这种能力。
I am sure some of you have achieved it some way.我相信你们中的一些人已经以某种方式实现了它。
Kube.netes RBAC can only validate whenever you can or cannot exec
into pods, (by checking create
verb on pods/exec
resource), after that it switches to SPDY protocol and passes your input and returning back output from analog of docker exec
on your container runtime, without actually caring about what's going in and out Kube.netes RBAC 只能在你可以或不能exec
到 pod 时进行验证(通过检查create
verb on pods/exec
资源),之后它切换到 SPDY 协议并传递你的输入并从你的docker exec
的模拟返回 output容器运行时,实际上并不关心进出的内容
With rbac you also have to specify pod name, which might be problematic if you are using Deployments, where each new revision will generate a different pod name.使用 rbac,您还必须指定 pod 名称,如果您使用 Deployments,这可能会出现问题,其中每个新修订版都会生成不同的 pod 名称。 Since pattern matching is not implemented in rbac - you would have to change your role every time new pod name is generated.由于 rbac 中未实现模式匹配 - 每次生成新的 pod 名称时,您都必须更改您的角色。
So the answer is "No, you can' do it with rbac"所以答案是“不,你不能用 rbac 做到这一点”
An alternative solution would be to use some kind of CI/CD (jenkins,gitlab-ci etc.) or orchestration tool (rundeck, ansible-tower etc) where you will create some kind of script, where your developers would pass arguments to a job, controlled by you, ie另一种解决方案是使用某种 CI/CD(jenkins、gitlab-ci 等)或编排工具(rundeck、ansible-tower 等),您将在其中创建某种脚本,您的开发人员将在其中将 arguments 传递给工作,由你控制,即
kubectl exec deploy/foo -- /bin/bar baz "$DEV_ARGUMENT"
Which, essentially, means, that you would be responsible for managing access to that job/script, creating and maintaining serviceAccount for that script, etc.从本质上讲,这意味着您将负责管理对该作业/脚本的访问,为该脚本创建和维护 serviceAccount 等。
If you are afraid of image mutability, ie you don't want your developers to install something in running container, but otherwise are okay with giving them shell on it (remember, they can still read any secrets/env vars/configMaps and even serviceAccount tokens that pod uses of you mount them by default), you should consider the following:如果你害怕图像可变性,即你不希望你的开发人员在运行的容器中安装一些东西,但是给他们 shell 就可以了(记住,他们仍然可以读取任何秘密/env vars/configMaps 甚至 serviceAccount pod 使用的令牌默认挂载它们),您应该考虑以下事项:
root
.不要以root
身份运行容器。 Try to use images, that support rootles operation, and then either specify correct non-root UID in runAsUser
field in securityContext
, or configure runAsNonRoot: true
flag to deny containers running as root.尝试使用支持 rootles 操作的图像,然后在securityContext
的runAsUser
字段中指定正确的非 root UID,或者配置runAsNonRoot: true
标志以拒绝以 root 身份运行的容器。readOnlyRootFilesystem
in security context, which will deny write operation to pod ephemeral storage (but if you mounted any volume as RW - they still will be accessible to write operations).您还可以通过在安全上下文中使用readOnlyRootFilesystem
使您的 pod 不可变,这将拒绝对 pod 临时存储的写操作(但如果您将任何卷安装为 RW - 它们仍然可以进行写操作)。 Feasibility of this approach depends on whenever your apps use some kind of temporary files of not这种方法的可行性取决于您的应用何时使用某种临时文件Relevant links:相关链接:
exec
actually works https://erkanerol.github.io/post/how-kubectl-exec-works/ - 解释exec
实际工作原理的机器人链接
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.