[英]GKE Kubernetes RBAC bind default role to my limited custom
我正在使用GI來創建一個只能訪問特定名稱空間的自定義用戶,我使用了以下yaml:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: develop-user
namespace: develop
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: develop-user-full-access
namespace: develop
rules:
- apiGroups: rbac.authorization.k8s.io
resources:
- services
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: develop-user-view
namespace: develop
subjects:
- kind: ServiceAccount
name: develop-user
namespace: develop
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: develop-user-full-access
所以當我將上下文切換到這個新服務帳戶並發現我仍然可以訪問所有內容后,我得到了證書並添加到我的kube配置中。
為什么會發生以及如何解決?
我的kubeconfig(astebin副本: https ://pastebin.com/s5Nd6Dnn):
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: %certificate-data%
server: https://animeheaven.nyah
name: anime-cluster-develop
contexts:
- context:
cluster: anime-cluster-develop
namespace: develop
user: develop-user
name: anime-develop
current-context: anime-develop
kind: Config
preferences: {}
users:
- name: develop-user
user:
client-key-data: %certdata%
token: %tokenkey%
https://medium.com/uptime-99/making-sense-of-kubernetes-rbac-and-iam-roles-on-gke-914131b01922
https://medium.com/@ManagedKube/kubernetes-rbac-port-forward-4c7eb3951e28
這兩篇文章終於對我有所幫助! 由於這些愚蠢的東西,我幾乎感到沮喪,這要歸功於uptime-99和ManagedKube我做到了! 好極了!
關鍵是在gcloud中創建kubernetes-viewer用戶,然后為他創建一個角色,這是一個提示!
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: develop
name: allow-developer-port-forward
rules:
- apiGroups: [""]
resources: ["pods", "pods/portforward"]
verbs: ["get", "list", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: anime-developer-port-access
namespace: develop
subjects:
- kind: User
name: ANIMEDEVERLOP@gmail.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-developer-port-forward
apiGroup: ""
然后
kubectly應用-f accessconfig.yaml
而已!
祝你今天愉快!
這是一篇有關如何設置它的好文章: https : //jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html 。
通常,您的配置很好,我更改的是以下行- apiGroups: rbac.authorization.k8s.io
更改為:
- apiGroups: ["", "extensions", "apps"]
然后,應用以下步驟:
develop
命名空間 $ kubectl create namespace develop
$ kubectl apply -f rbac.yaml
$ kubectl cluster-info
$ kubectl get secret develop-user-token-2wsnb -o jsonpath={.data.token} -n develop | base64 --decode
$ kubectl get secret develop-user-token-2wsnb -o "jsonpath={.data['ca\.crt']}" -n develop
~/.kube/config
文件(如鏈接指南中所述 ) develop
develop
名稱空間中的檢查服務。 $ kubectl get service my-service -n mynamespace
Error from server (Forbidden): services "my-service" is forbidden: User "system:serviceaccount:develop:develop-user" cannot get services in the namespace "mynamespace"
$ kubectl get service my-service -n develop
hError from server (NotFound): services "my-service" not found
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.