我正在尝试以最小许可的方式配置Kubernetes RBAC,我想将角色的范围限定于特定资源和子资源。我浏览了文档,找不到资源及其子资源的简明清单。
我对支配Deployment规范的一部分的子资源(容器映像)特别感兴趣。
使用kubectl api-resources -o wide显示所有资源,动词和关联的API-group。
$ kubectl api-resources -o wide NAME SHORTNAMES APIGROUP NAMESPACED KIND VERBS bindings true Binding [create] componentstatuses cs false ComponentStatus [get list] configmaps cm true ConfigMap [create delete deletecollection get list patch update watch] endpoints ep true Endpoints [create delete deletecollection get list patch update watch] events ev true Event [create delete deletecollection get list patch update watch] limitranges limits true LimitRange [create delete deletecollection get list patch update watch] namespaces ns false Namespace [create delete get list patch update watch] nodes no false Node [create delete deletecollection get list patch update watch] persistentvolumeclaims pvc true PersistentVolumeClaim [create delete deletecollection get list patch update watch] persistentvolumes pv false PersistentVolume [create delete deletecollection get list patch update watch] pods po true Pod [create delete deletecollection get list patch update watch] statefulsets sts apps true StatefulSet [create delete deletecollection get list patch update watch] meshpolicies authentication.istio.io false MeshPolicy [delete deletecollection get list patch create update watch] policies authentication.istio.io true Policy [delete deletecollection get list patch create update watch] ... ...
我想您可以使用它来创建RBAC配置中所需的资源列表
定义RBAC角色所需的资源,子资源和动词未记录在静态列表中的任何位置。它们可在发现文档中找到,即通过API获得,例如/api/apps/v1。
以下bash脚本将以以下格式列出所有资源,子资源和动词:
api_version resource: [verb]
哪里api-version是core核心资源,应该""在您的角色定义中替换为(带引号的空字符串)。
例如,core pods/status: get patch update。
该脚本需要jq。
#!/bin/bash
SERVER="localhost:8080"
APIS=$(curl -s $SERVER/apis | jq -r '[.groups | .[].name] | join(" ")')
# do core resources first, which are at a separate api location
api="core"
curl -s $SERVER/api/v1 | jq -r --arg api "$api" '.resources | .[] | "\($api) \(.name): \(.verbs | join(" "))"'
# now do non-core resources
for api in $APIS; do
version=$(curl -s $SERVER/apis/$api | jq -r '.preferredVersion.version')
curl -s $SERVER/apis/$api/$version | jq -r --arg api "$api" '.resources | .[]? | "\($api) \(.name): \(.verbs | join(" "))"'
done
警告:请注意,如果没有通过api列出动词,则输出将仅显示api版本和资源,例如
core pods/exec:
在以下资源的特定实例中,没有通过api显示任何动词,这是错误的(Kubernetes错误#65421,由#65518修复):
nodes/proxy pods/attach pods/exec pods/portforward pods/proxy services/proxy
这些资源支持的动词如下:
nodes/proxy: create delete get patch update pods/attach: create get pods/exec: create get pods/portforward: create get pods/proxy: create delete get patch update services/proxy: create delete get patch update
警告2:有时Kubernetes使用此处未列出的专用动词检查其他权限。例如,bind动词是API组中的roles和clusterroles资源所必需的rbac.authorization.k8s.io。这些专用动词的详细信息可以在此处的文档中找到。
京公网安备 11010802040832号 | 京ICP备19059560号-6 