Kubernetes RBAC动词:没有列表，反之亦然?观看没有清单? [英] Kubernetes RBAC verbs: get without list and vice versa? Watch without list?

问题描述

尽管Kubernetes RBAC上有很多文档和示例，以及可用于不同资源的动词，但我找不到关于某些动词是否总是组合使用或是否存在单独使用它们的用例的任何规则.特别是，我想知道动词的获取，列出和监视.组合它们有什么用处，特别是不组合时有什么用?

While there's a lot of documentation and examples on Kubernetes RBAC and also the available verbs for different resources, I couldn't find any rules on whether certain verbs are always used in combination or whether there are use cases to using them individually. In particular, I'm wondering about the verbs get, list, and watch. What uses are for combining them, and especially not combining them?

• 是否有允许获取资源但没有列表的用途?
• 互惠生，有没有允许get的清单用途?也许遵循信息稀疏的原则?
• 获取并列出，但没有手表吗?要仅限制受信任的主题和服务帐户，以使API服务器和etcd承受更大的压力?
• 观看时没有列表或获取?那不是因为大多数客户是列表监视者而削弱了他们吗?

推荐答案

有趣的问题，这里有一些想法和实际用法示例.

Interesting question, here are some ideas and examples of usages in practice.

实践中还有更多示例.例如，您可以通过浏览kubectl describe clusterroles来检查默认的ClusterRoles.要了解kubectl在后台请求的API，可以增加日志详细程度，例如kubectl get pods -w -v 10.

There are many more examples in practice. For example, you can inspect the default ClusterRoles by browsing through kubectl describe clusterroles. And to see which API requests kubectl makes under the hood, you can increase the log verbosity, for example, kubectl get pods -w -v 10.

您希望某人能够读取其姓名已知的资源，但不发现其他资源.例如，允许执行kubectl get mypod，但不允许执行kubectl get pods.

You want someone to be able to read resources they know by name but not discover what other resources exist. For example, allows to do kubectl get mypod, but not kubectl get pods.

示例:

• system:node ClusterRole在端点，PV和PVC上具有 get ，但没有 list 权限.
• system:coredns ClusterRole在节点上具有 get ，但没有 list 权限.
• system:controller:expand-controller ClusterRole在端点，机密和服务上具有 get ，但没有 list 权限.

• The system:node ClusterRole has get but not list permissions on Endpoints, PVs, and PVCs.
• The system:coredns ClusterRole has get but not list permissions on Nodes.
• The system:controller:expand-controller ClusterRole has get but not list permissions on Endpoints, Secrets, and Services.

例如，可以执行kubectl get pods，但不能执行kubectl get pod mypod.这没有多大意义，因为您可以通过 get 获取的所有信息也都包含在 list 中.但是，实际上有一些用法.

Allows to do, for example, kubectl get pods but not kubectl get pod mypod. It doesn't make much sense, because all the information you can get with get is also included in list. Nevertheless, there are some usages of this in practice.

示例:

• system:kube-dns ClusterRole对端点和服务具有 list 和 watch 权限，但没有对 get 的权限.
• system:controller:daemon-set-controller ClusterRoel对节点具有 list 和 watch 权限，但没有对 get 的权限.
• system:coredns ClusterRole对端点，命名空间，Pod和服务具有 list 和 watch 权限，但没有对 get 的权限.
li>

• The system:kube-dns ClusterRole has list and watch permissions for Endpoints and Services, but not get.
• The system:controller:daemon-set-controller ClusterRoel has list and watch permissions for Nodes, but not get.
• The system:coredns ClusterRole has list and watch permissions for Endpoints, Namespaces, Pods, and Services, but not get.

实际上，在大多数情况下，有 list 的地方也有 watch .您可以剥夺某人的 watch 权限，以减少etcd上的监视者数量.用户可以执行kubectl get pods和kubectl get pods mypod，但不能使用-w选项.

In practice, in most cases where there is list there is also watch. You could deprive someone of watch to reduce the number of watchers on etcd. Users can do kubectl get pods and kubectl get pods mypod, but not use the -w option.

还可以判断API是否不支持 watch 操作，例如可选的度量标准API.

Makes also sense if the API does not support watch operations, like, for example, the optional metric APIs.

示例:

• system:controller:persistent-volume-binder ClusterRole对节点具有 get 和 list 权限，但没有 watch

• The system:controller:persistent-volume-binder ClusterRole has get and list permissions for Nodes, but not watch

关于用例，这没有多大意义，因为 watch .我不知道在实践中对此有任何具体用法.

Regarding the use case, it doesn't make much sense, because all the information you can get with get and list is also included in watch. I don't know of any concrete usage of this in practice.

但是，从技术上讲，这是可能的.例如，如果您具有Pods的 watch 权限，但没有 get 和 list 的权限，则可以执行以下操作:

However, technically, it's possible. For example, if you have watch permissions for Pods, but not get and list, you can do:

✅ kubectl get --raw="/api/v1/watch/namespaces/default/pods"
✅ kubectl get --raw="/api/v1/watch/namespaces/default/pods/mypod"

它有效.但是，不建议使用这些watch终结点，而应将 list 终结点与watch参数一起使用.但这也可以:

And it works. However, these watch endpoints are deprecated and you should use the list endpoint with a watch parameter instead. But this also works:

✅ kubectl get --raw="/api/v1/namespaces/default/pods?watch=true"

但是，您不能看到这样的单个Pod，因为 get 端点没有watch参数.因此，以下内容无效:

However, you can't watch a single Pod like this, because the get endpoint doesn't have a watch parameter. So, the following is invalid:

❌ kubectl get --raw="/api/v1/namespaces/default/pods/mypod?watch=true"

您根本无法使用kubectl观看资源.以下失败:

And you can't watch resources with kubectl at all. The following fails:

❌ kubectl get pods -w
❌ kubectl get pods mypod -w

因为kubectl在 watch 请求之前分别发出了 list 和 get 请求，所以很可能会获得资源，这些资源将包含在后续的 watch 请求中.

Because kubectl makes a list and get request, respectively, before the watch request, most probably to get the resourceVersion of the resources which will then be included in the subsequent watch request.

注意:这意味着，如果您具有 list 和 watch ，则kubectl get pods -w有效，但kubectl get pods mypod -w无效，并且如果您具有 和 watch ，那么kubectl get pods mypod -w可以工作，但kubectl get pods -w不能.

Note: that means, if you have list and watch, then kubectl get pods -w works, but kubectl get pods mypod -w doesn't, and if you have get and watch, then kubectl get pods mypod -w works but kubectl get pods -w doesn't.

这篇关于Kubernetes RBAC动词:没有列表，反之亦然?观看没有清单?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！