在Kubernetes授权模式ABAC中使用kubectl [英] Using kubectl with Kubernetes authorization mode ABAC
问题描述
我发送了一个在Ubuntu上运行Kubernetes的4节点集群(1个主服务器3个工人).我打开--authorization-mode = ABAC并使用以下条目设置了策略文件
I sent up a 4 node cluster (1 master 3 workers) running Kubernetes on Ubuntu. I turned on --authorization-mode=ABAC and set up a policy file with an entry like the following
{用户":"bob",只读":true,命名空间":"projectgino"}
{"user":"bob", "readonly": true, "namespace": "projectgino"}
我希望用户bob只能查看projectgino中的资源.我在以Bob用户身份使用kubectl命令行时遇到问题.当我运行以下命令
I want user bob to only be able to look at resources in projectgino. I'm having problems using kubectl command line as user Bob. When I run the following command
kubectl获取容器--token = xxx --namespace = projectgino --server = https://xxx .xxx.xxx.xx:6443
我收到以下错误
错误:无法从服务器读取版本:服务器不允许访问所请求的资源
error: couldn't read version from server: the server does not allow access to the requested resource
我跟踪了kubectl命令行代码,问题似乎是由pkg/client/helper.go中的kubectl调用函数NegotiateVersion引起的.这将调用服务器上的/api以获得Kubernetes的版本.该调用失败,因为剩余路径不包含名称空间projectgino.我在pkg/auth/authorizer/abac/abac.go中添加了跟踪代码,但在命名空间检查中失败.
I traced the kubectl command line code and the problem seems to caused by kubectl calling function NegotiateVersion in pkg/client/helper.go. This makes a call to /api on the server to get the version of Kubernetes. This call fails because the rest path doesn't contain namespace projectgino. I added trace code to pkg/auth/authorizer/abac/abac.go and it fails on the namespace check.
我还没有升级Kubernetes的最新1.1.1版本,但是查看代码,我发现该区域没有任何变化.
I haven't moved up the the latest 1.1.1 version of Kubernetes yet, but looking at the code I didn't see anything that has changed in this area.
有人知道如何配置Kubernetes来解决问题吗?
Does anybody know how to configure Kubernetes to get around the problem?
推荐答案
#16148 .
This is missing functionality in the ABAC authorizer. The fix is in progress: #16148.
作为一种解决方法,来自授权文档:
As for a workaround, from the authorization doc:
对于其他端点,例如 /version,资源是空字符串.
For miscellaneous endpoints, like /version, the resource is the empty string.
因此,您可以通过定义政策来解决:
So you may be able to solve by defining a policy:
{"user":"bob","readonly":true,"resource":"}
{"user":"bob", "readonly": true, "resource": ""}
(请注意资源的空字符串)以授予对未版本控制的端点的访问权限.如果那行不通,我认为没有一个干净的解决方法可让您将kubectl与--authorization-mode = ABAC一起使用.
(note the empty string for resource) to grant access to unversioned endpoints. If that doesn't work I don't think there's a clean workaround that will let you use kubectl with --authorization-mode=ABAC.
这篇关于在Kubernetes授权模式ABAC中使用kubectl的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!