Kubernetes检查serviceaccount权限 [英] Kubernetes check serviceaccount permissions
问题描述
通过Helm Chart部署服务时,安装失败,因为不允许tiller服务帐户创建ServiceMonitor资源.
When deploying a service via a Helm Chart, the installation failed because the tiller serviceaccount was not allowed to create a ServiceMonitor resource.
注意:
-
ServiceMonitor是Prometheus Operator定义的CRD,用于自动获取Pod中正在运行的容器的指标. - Helm Tiller安装在单个名称空间中,并且已经使用Role和RoleBinding设置了RBAC.
ServiceMonitoris a CRD defined by the Prometheus Operator to automagically get metrics of running containers in Pods.- Helm Tiller is installed in a single namespace and the RBAC has been setup using Role and RoleBinding.
我想验证tiller服务帐户的权限.
kubectl具有auth can-i命令,此类查询(请参见下文)始终返回no.
I wanted to verify the permissions of the tiller serviceaccount.
kubectl has the auth can-i command, queries like these (see below) always return no.
-
kubectl auth can-i list deployment --as=tiller -
kubectl auth can-i list deployment --as=staging:tiller
kubectl auth can-i list deployment --as=tillerkubectl auth can-i list deployment --as=staging:tiller
检查服务帐户权限的正确方法是什么?
如何启用tiller帐户创建ServiceMonitor资源?
What is the proper way to check permissions for a serviceaccount?
How to enable the tiller account to create a ServiceMonitor resource?
推荐答案
在尝试了很多东西并在整个Google上进行谷歌搜索之后,我终于找到了
After trying lots of things and Googling all over the universe I finally found this blogpost about Securing your cluster with RBAC and PSP where an example is given how to check access for serviceaccounts.
正确的命令是:
kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<namespace>:<serviceaccountname> [-n <namespace>]
The correct command is:
kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<namespace>:<serviceaccountname> [-n <namespace>]
要检查tiller帐户是否有权创建ServiceMonitor对象,请执行以下操作:
kubectl auth can-i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging
To check whether the tiller account has the right to create a ServiceMonitor object:
kubectl auth can-i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging
注意:为了解决tiller帐户的问题,我必须为monitoring.coreos.com apiGroup中的servicemonitors资源添加权限.更改之后,上述命令最终返回yes,并且成功完成了Helm Chart的安装.
Note: to solve my issue with the tiller account, I had to add rights to the servicemonitors resource in the monitoring.coreos.com apiGroup. After that change, the above command returned yes (finally) and the installation of our Helm Chart succeeded.
更新的tiller-manager角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
labels:
org: ipos
app: tiller
annotations:
description: "Role to give Tiller appropriate access in namespace"
ref: "https://docs.helm.sh/using_helm/#example-deploy-tiller-in-a-namespace-restricted-to-deploying-resources-only-in-that-namespace"
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- '*'
这篇关于Kubernetes检查serviceaccount权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
