RBAC-限制一个服务帐户的访问权限 [英] RBAC - Limit access for one service account
问题描述
我想将权限限制为以下服务帐户,如下所示:
I want to limit the permissions to the following service account, created it as follows:
kubectl create serviceaccount alice --namespace default
secret=$(kubectl get sa alice -o json | jq -r .secrets[].name)
kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt
user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -d)
c=`kubectl config current-context`
name=`kubectl config get-contexts $c | awk '{print $3}' | tail -n 1`
endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"`
kubectl config set-cluster cluster-staging \
--embed-certs=true \
--server=$endpoint \
--certificate-authority=./ca.crt
kubectl config set-credentials alice-staging --token=$user_token
kubectl config set-context alice-staging \
--cluster=cluster-staging \
--user=alice-staging \
--namespace=default
kubectl config get-contexts
#kubectl config use-context alice-staging
此人有权查看包含以下内容的所有内容:
kubectl --context=alice-staging get pods --all-namespaces
This has permission to see everything with:
kubectl --context=alice-staging get pods --all-namespaces
我尝试将其限制为以下内容,但仍具有所有权限:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: no-access
rules:
- apiGroups: [""]
resources: [""]
verbs: [""]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: no-access-role
subjects:
- kind: ServiceAccount
name: alice
namespace: default
roleRef:
kind: ClusterRole
name: no-access
apiGroup: rbac.authorization.k8s.io
这个想法是限制对命名空间的访问,以便为用户分发令牌,但是我没有得到……我认为这可能是为继承的权限,但是我不能为单个serviceacount禁用它.
The idea is to limit access to a namespace to distribute tokens for users, but I do not get it ... I think it may be for inherited permissions but I can not disabled for a single serviceacount.
使用:GKE,container-vm
THX!
推荐答案
请注意,服务帐户并非供用户使用,而是供在pod内运行的进程使用(
Note that service accounts are not meant for users, but for processes running inside pods (https://kubernetes.io/docs/admin/service-accounts-admin/).
在在Kubernetes中为kubectl创建用户,您可以找到如何创建您的K8s群集的用户帐户.
In Create user in Kubernetes for kubectl you can find how to create a user account for your K8s cluster.
此外,我建议您检查集群中是否实际启用了RBAC,这可以说明用户可以执行预期的更多操作.
Moreover, I advise you to check whether RBAC is actually enabled in your cluster, which could explain that a user can do more operations that expected.
这篇关于RBAC-限制一个服务帐户的访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!