GKE Kubernetes RBAC將默認角色綁定到我的有限定制
[英]GKE Kubernetes RBAC bind default role to my limited custom
問題描述
我正在使用GI來創建一個只能訪問特定名稱空間的自定義用戶,我使用了以下yaml:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: develop-user
namespace: develop
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: develop-user-full-access
namespace: develop
rules:
- apiGroups: rbac.authorization.k8s.io
resources:
- services
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: develop-user-view
namespace: develop
subjects:
- kind: ServiceAccount
name: develop-user
namespace: develop
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: develop-user-full-access
所以當我將上下文切換到這個新服務帳戶並發現我仍然可以訪問所有內容后,我得到了證書並添加到我的kube配置中。
為什么會發生以及如何解決?
我的kubeconfig(astebin副本: https ://pastebin.com/s5Nd6Dnn):
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: %certificate-data%
server: https://animeheaven.nyah
name: anime-cluster-develop
contexts:
- context:
cluster: anime-cluster-develop
namespace: develop
user: develop-user
name: anime-develop
current-context: anime-develop
kind: Config
preferences: {}
users:
- name: develop-user
user:
client-key-data: %certdata%
token: %tokenkey%
2 個解決方案
解決方案1
3 已采納 2019-03-11 12:09:17
https://medium.com/uptime-99/making-sense-of-kubernetes-rbac-and-iam-roles-on-gke-914131b01922
https://medium.com/@ManagedKube/kubernetes-rbac-port-forward-4c7eb3951e28
這兩篇文章終於對我有所幫助! 由於這些愚蠢的東西,我幾乎感到沮喪,這要歸功於uptime-99和ManagedKube我做到了! 好極了!
關鍵是在gcloud中創建kubernetes-viewer用戶,然后為他創建一個角色,這是一個提示!
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: develop
name: allow-developer-port-forward
rules:
- apiGroups: [""]
resources: ["pods", "pods/portforward"]
verbs: ["get", "list", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: anime-developer-port-access
namespace: develop
subjects:
- kind: User
name: ANIMEDEVERLOP@gmail.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-developer-port-forward
apiGroup: ""
然后
kubectly應用-f accessconfig.yaml
而已!
祝你今天愉快!
解決方案2
2 2019-03-04 09:16:49
這是一篇有關如何設置它的好文章: https : //jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html 。
通常,您的配置很好,我更改的是以下行- apiGroups: rbac.authorization.k8s.io更改為:
- apiGroups: ["", "extensions", "apps"]
然后,應用以下步驟:
- 創建
develop命名空間
$ kubectl create namespace develop
- 從您的配置中創建RBAC。
$ kubectl apply -f rbac.yaml
- 閱讀群集IP,令牌和CA證書。
$ kubectl cluster-info
$ kubectl get secret develop-user-token-2wsnb -o jsonpath={.data.token} -n develop | base64 --decode
$ kubectl get secret develop-user-token-2wsnb -o "jsonpath={.data['ca\.crt']}" -n develop
- 填充
~/.kube/config文件(如鏈接指南中所述 ) - 改變環境
develop - 用戶只能訪問
develop名稱空間中的檢查服務。
$ kubectl get service my-service -n mynamespace
Error from server (Forbidden): services "my-service" is forbidden: User "system:serviceaccount:develop:develop-user" cannot get services in the namespace "mynamespace"
$ kubectl get service my-service -n develop
hError from server (NotFound): services "my-service" not found
如何在GKE kubernetes集群中調試ABAC到RBAC轉換?
[英]How to debug ABAC to RBAC transition in a GKE kubernetes cluster?
網站在 GKE 上以“默認后端 - 404”響應 - Kubernetes
[英]Website responding with “default backend - 404” on GKE - Kubernetes
將 AWS IAM 角色授予在 GKE (Google Kubernetes Engine) 中運行的 Pod
[英]Give AWS IAM Role to a pod running in GKE (Google Kubernetes Engine)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Kubernetes RBAC默認用戶
默認用戶的Kubernetes RBAC身份驗證
kubernetes RBAC 角色動詞執行到 pod
Azure Kubernetes - 用於命名空間隔離的 RBAC 角色
GKE RBAC角色/角色綁定到集群中的訪問節點狀態
如何在GKE kubernetes集群中調試ABAC到RBAC轉換?
GKE上的Kubernetes:將負載均衡器綁定到特定IP
Kubernetes:自定義資源的 RBAC 授權失敗
網站在 GKE 上以“默認后端 - 404”響應 - Kubernetes
將 AWS IAM 角色授予在 GKE (Google Kubernetes Engine) 中運行的 Pod
相關標簽