Kubernetes-授予RBAC访问kube dns中的匿名用户的权限 [英] Kubernetes - Granting RBAC access to anonymous users in kube dns

问题描述

我有一个带有主节点和工作节点的Kubernetes Cluster设置. Kubectl cluster-info显示kubernetes-master和kube-dns成功运行.

I have Kubernetes Cluster setup with a master and worker node. Kubectl cluster-info shows kubernetes-master as well as kube-dns running successfully.

我正在尝试访问下面的URL，由于它是我组织的内部内容，因此下面的URL对外部世界不可见.

I am trying to access below URL and since it is internal to my organization, below URL is not visible to external world.

https://10.118 .3.22:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

但是访问它时却出现错误-

But I am getting below error when I access it -

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"kube-dns:dns\" is forbidden: User \"system:anonymous\" cannot get resource \"services/proxy\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "kube-dns:dns",
    "kind": "services"
  },
  "code": 403
}

请让我知道如何向匿名用户授予完全访问权限.我阅读了 https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 但是无法弄清楚我到底需要做什么.谢谢

Please let me know how to grant full access to anonymous user. I read RBAC mentioned in https://kubernetes.io/docs/reference/access-authn-authz/rbac/ But unable to figure out what exactly I need to do. Thanks

推荐答案

您可以向匿名用户授予admin特权，但我强烈建议不要这样做.这样，群集外的任何人都可以使用url访问服务.

You can grant the admin privileges to the anonymous user, but I strongly strongly discourage it. This will give anyone outside the cluster access to the services using the url.

即使在您决定将所有访问权限授予匿名用户之后，您也可以按照以下方式进行操作:

Even after that you decided to grant all the access to the anonymous user you can do it following way:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: anonymous-role
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: anonymous-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: anonymous-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:anonymous

这将使anonymous:user代理您的服务，而不是所有资源.如果需要所有资源，则需要在匿名角色中提供resources: ["*"].

This will give anonymous:user to proxy your services, not all resources. If you want that for all resources you need to provide resources: ["*"] in anonymous-role.

希望这会有所帮助

这篇关于Kubernetes-授予RBAC访问kube dns中的匿名用户的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！