在Kubernetes授权模式ABAC中使用kubectl [英] Using kubectl with Kubernetes authorization mode ABAC

问题描述

我发送了一个在Ubuntu上运行Kubernetes的4节点集群(1个主服务器3个工人).我打开--authorization-mode = ABAC并使用以下条目设置了策略文件

I sent up a 4 node cluster (1 master 3 workers) running Kubernetes on Ubuntu. I turned on --authorization-mode=ABAC and set up a policy file with an entry like the following

{用户":"bob"，只读":true，命名空间":"projectgino"}

{"user":"bob", "readonly": true, "namespace": "projectgino"}

我希望用户bob只能查看projectgino中的资源.我在以Bob用户身份使用kubectl命令行时遇到问题.当我运行以下命令

I want user bob to only be able to look at resources in projectgino. I'm having problems using kubectl command line as user Bob. When I run the following command

kubectl获取容器--token = xxx --namespace = projectgino --server = https://xxx .xxx.xxx.xx:6443

我收到以下错误

错误:无法从服务器读取版本:服务器不允许访问所请求的资源

error: couldn't read version from server: the server does not allow access to the requested resource

我跟踪了kubectl命令行代码，问题似乎是由pkg/client/helper.go中的kubectl调用函数NegotiateVersion引起的.这将调用服务器上的/api以获得Kubernetes的版本.该调用失败，因为剩余路径不包含名称空间projectgino.我在pkg/auth/authorizer/abac/abac.go中添加了跟踪代码，但在命名空间检查中失败.

I traced the kubectl command line code and the problem seems to caused by kubectl calling function NegotiateVersion in pkg/client/helper.go. This makes a call to /api on the server to get the version of Kubernetes. This call fails because the rest path doesn't contain namespace projectgino. I added trace code to pkg/auth/authorizer/abac/abac.go and it fails on the namespace check.

我还没有升级Kubernetes的最新1.1.1版本，但是查看代码，我发现该区域没有任何变化.

I haven't moved up the the latest 1.1.1 version of Kubernetes yet, but looking at the code I didn't see anything that has changed in this area.

有人知道如何配置Kubernetes来解决问题吗?

Does anybody know how to configure Kubernetes to get around the problem?

推荐答案

#16148 .

This is missing functionality in the ABAC authorizer. The fix is in progress: #16148.

作为一种解决方法，来自授权文档:

As for a workaround, from the authorization doc:

对于其他端点，例如 /version，资源是空字符串.

For miscellaneous endpoints, like /version, the resource is the empty string.

因此，您可以通过定义政策来解决:

So you may be able to solve by defining a policy:

{"user":"bob"，"readonly":true，"resource":"}

{"user":"bob", "readonly": true, "resource": ""}

(请注意资源的空字符串)以授予对未版本控制的端点的访问权限.如果那行不通，我认为没有一个干净的解决方法可让您将kubectl与--authorization-mode = ABAC一起使用.

(note the empty string for resource) to grant access to unversioned endpoints. If that doesn't work I don't think there's a clean workaround that will let you use kubectl with --authorization-mode=ABAC.

这篇关于在Kubernetes授权模式ABAC中使用kubectl的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！