授予Kubernetes服务帐户特权以从所有名称空间获取Pod [英] Grant Kubernetes service account privileges to get pods from all namespaces
问题描述
我想授予Kubernetes服务帐户执行kubectl --token $token get pod --all-namespaces
的特权.我熟悉对单个名称空间执行此操作,但是不知道如何对所有名称空间执行此操作(包括将来可能会创建且未授予服务帐户
I would like to grant a Kubernetes service account privileges for executing kubectl --token $token get pod --all-namespaces
. I'm familiar with doing this for a single namespace but don't know how to do it for all (including new ones that may be created in the future and without granting the service account full admin privileges).
当前我收到此错误消息:
Currently I receive this error message:
来自服务器的错误(禁止):禁止使用pods:用户 "system:serviceaccount:kube-system:test"无法列出资源 群集范围内的API组"中的"pods"
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kube-system:test" cannot list resource "pods" in API group "" at the cluster scope
需要哪些(群集)角色和角色绑定?
What (cluster) roles and role bindings are required?
更新使用以下ClusterRoleBinding
向服务分配角色view
是可行的,并且是向前迈出的一步.但是,我想将服务帐户的权限限制到所需的最低限度.
UPDATE Assigning role view
to the service with the following ClusterRoleBinding
works and is a step forward. However, I'd like to confine the service account's privileges further to the minimum required.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
subjects:
- kind: ServiceAccount
name: test
namespace: kube-system
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
可以如下提取服务帐户的令牌:
The service account's token can be extracted as follows:
secret=$(kubectl get serviceaccount test -n kube-system -o=jsonpath='{.secrets[0].name}')
token=$(kubectl get secret $secret -n kube-system -o=jsonpath='{.data.token}' | base64 --decode -)
推荐答案
- 遵循以下Yaml,并创建测试服务帐户.
apiVersion: v1
kind: ServiceAccount
metadata:
name: test
namespace: default
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test
subjects:
- kind: ServiceAccount
name: test
namespace: default
roleRef:
kind: ClusterRole
name: pod-reader
apiGroup: rbac.authorization.k8s.io
从以下示例中部署测试包
deploy test pod from the below sample
apiVersion: v1
kind: Pod
metadata:
labels:
run: test
name: test
spec:
serviceAccountName: test
containers:
- args:
- sleep
- "10000"
image: alpine
imagePullPolicy: IfNotPresent
name: test
resources:
requests:
memory: 100Mi
- 安装curl和kubectl
kubectl exec test apk add curl
kubectl exec test -- curl -o /bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kubectl
kubectl exec test -- sh -c 'chmod +x /bin/kubectl'
- 您应该能够列出测试容器中所有命名空间中的容器
master $ kubectl exec test -- sh -c 'kubectl get pods --all-namespaces'
NAMESPACE NAME READY STATUS RESTARTS AGE
app1 nginx-6f858d4d45-m2w6f 1/1 Running 0 19m
app1 nginx-6f858d4d45-rdvht 1/1 Running 0 19m
app1 nginx-6f858d4d45-sqs58 1/1 Running 0 19m
app1 test 1/1 Running 0 18m
app2 nginx-6f858d4d45-6rrfl 1/1 Running 0 19m
app2 nginx-6f858d4d45-djz4b 1/1 Running 0 19m
app2 nginx-6f858d4d45-mvscr 1/1 Running 0 19m
app3 nginx-6f858d4d45-88rdt 1/1 Running 0 19m
app3 nginx-6f858d4d45-lfjx2 1/1 Running 0 19m
app3 nginx-6f858d4d45-szfdd 1/1 Running 0 19m
default test 1/1 Running 0 6m
kube-system coredns-78fcdf6894-g7l6n 1/1 Running 0 33m
kube-system coredns-78fcdf6894-r87mx 1/1 Running 0 33m
kube-system etcd-master 1/1 Running 0 32m
kube-system kube-apiserver-master 1/1 Running 0 32m
kube-system kube-controller-manager-master 1/1 Running 0 32m
kube-system kube-proxy-vnxb7 1/1 Running 0 33m
kube-system kube-proxy-vwt6z 1/1 Running 0 33m
kube-system kube-scheduler-master 1/1 Running 0 32m
kube-system weave-net-d5dk8 2/2 Running 1 33m
kube-system weave-net-qjt76 2/2 Running 1 33m
这篇关于授予Kubernetes服务帐户特权以从所有名称空间获取Pod的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!