分配给主体的kubectl和看到(群集)角色 [英] kubectl and seeing (cluster)roles assigned to subjects

问题描述

我可以使用kubectl查看将群集角色应用于哪些主题，例如:

I can use kubectl to see to which subjects a cluster role is applied, eg:

kubectl get clusterrolebindings system:node --all-namespaces -o json                                                                                                                                                                    
{
    "apiVersion": "rbac.authorization.k8s.io/v1beta1",
    "kind": "ClusterRoleBinding",
     ....
     ....
    "subjects": [
        {
            "apiGroup": "rbac.authorization.k8s.io",
            "kind": "Group",
            "name": "system:nodes"
        }
    ]
}

我想反过来获得此信息，例如:我想列出应用于"system:nodes"主题的所有策略.

I would like to get this info the other way around, eg: I want to list all policies applied to the "system:nodes" subject.

我该怎么做?

推荐答案

没有用于反向索引的API.您可以查找绑定并过滤包含预期主题的绑定.例如，使用bash，jq和kubectl:

There is no API for the reverse index. You can look up bindings and filter on ones containing the expected subject. For example, using bash, jq, and kubectl:

# $1 is kind (User, Group, ServiceAccount)
# $2 is name ("system:nodes", etc)
# $3 is namespace (optional, only applies to kind=ServiceAccount)
function getRoles() {
    local kind="${1}"
    local name="${2}"
    local namespace="${3:-}"

    kubectl get clusterrolebinding -o json | jq -r "
      .items[]
      | 
      select(
        .subjects[]?
        | 
        select(
            .kind == \"${kind}\" 
            and
            .name == \"${name}\"
            and
            (if .namespace then .namespace else \"\" end) == \"${namespace}\"
        )
      )
      |
      (.roleRef.kind + \"/\" + .roleRef.name)
    "
}

$ getRoles Group system:authenticated
ClusterRole/system:basic-user
ClusterRole/system:discovery

$ getRoles ServiceAccount attachdetach-controller kube-system
ClusterRole/system:controller:attachdetach-controller

这篇关于分配给主体的kubectl和看到(群集)角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！