【发布时间】:2020-07-07 16:54:57
【问题描述】:
我正在向我的 Kubernetes 集群部署一个应用程序,该应用程序使用 Kubernetes API 列出集群中的 Pod(不仅是其命名空间中的 Pod)。应用程序将存在于自己的命名空间中。
RBAC规则如下;
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kubecontrol-rbac-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: kubecontrol-rbac-role-binding
namespace: kubecontrol
subjects:
- kind: ServiceAccount
namespace: kubecontrol
name: default
roleRef:
kind: ClusterRole
name: kubecontrol-rbac-role
apiGroup: rbac.authorization.k8s.io
如您所见,我有一个 ClusterRole,它授予对“pods”资源的“list”、“get”和“watch”权限,还有一个 RoleBinding,它将这个 ClusterRole 应用于命名空间的default ServiceAccount。
当我用kubectl auth can-in检查授权时,这个配置似乎是正确的;
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods
yes
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods --v=8
...
I0326 23:17:05.125188 56505 request.go:947] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"kubecontrol","verb":"list","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"kubecontrol-rbac-role-binding/kubecontrol\" of ClusterRole \"kubecontrol-rbac-role\" to ServiceAccount \"default/kubecontrol\""}}
RBAC:ClusterRole "kubecontrol-rbac-role" 到 ServiceAccount "default/kubecontrol" 的 RoleBinding "kubecontrol-rbac-role-binding/kubecontrol" 允许
但是,当我实际尝试执行该操作时,我被告知我不允许这样做;
$ kubectl get pod --as=system:serviceaccount:kubecontrol:default --all-namespaces
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kubecontrol:default" cannot list resource "pods" in API group "" at the cluster scope
我在我的应用程序中看到相同的错误消息。
用户 (system:serviceaccount:kubecontrol:default) 在这两种情况下都是相同的,那么为什么我不能列出 pods,即使根据 Kubernetes 本身我应该能够做到?我有什么遗漏吗?
【问题讨论】:
标签: kubernetes kubectl rbac