通过访问限制列出的Kubernetes命名空间 [英] Limit listed Kubernetes namespaces by access
问题描述
我有一组users(dev-team),只需要访问dev和qa命名空间.我创建了一个服务帐户,集群角色和集群角色绑定,如下所示.
I have a set of users(dev-team) who need access only to dev and qa namespaces. I created a service account, cluster role and cluster role binding as shown below.
服务帐户
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-team
集群角色
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: dev-team-users
rules:
- apiGroups: ["rbac.authorization.k8s.io",""]
resources: ["namespaces"]
resourceNames: ["dev","qa"]
verbs: ["get","list","create"]
集群角色绑定
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dev-team-user-bindings
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dev-team-users
subjects:
- kind: User
name: dev-team
namespace: kube-system
apiGroup: rbac.authorization.k8s.io
当我尝试验证访问权限时
kubectl get namespaces --as=dev-team
When I try to verify the access
kubectl get namespaces --as=dev-team
我收到以下错误消息
Error from server (Forbidden): namespaces is forbidden: User "dev-team" cannot list resource "namespaces" in API group "" at the cluster scope
我希望仅显示dev和qa命名空间.我在这里想念东西吗?
I am expecting to see only dev and qa namespaces to show up. Am I missing something here?
推荐答案
list 操作失败,因为您正在使用ClusterRole中的resourceNames字段来限制名称空间对象以授予访问权限,但 list 将返回 all 名称空间对象.
The list operation fails because you are using the resourceNames field in the ClusterRole to restrict the namespace objects to grant access too but list would return all namespace objects.
但是我想您真正想要的是限制对命名空间中的资源的访问,而不是对命名空间对象本身的限制(其中所包含的信息比命名空间的名称少得多) ).
要实现此目的,必须在要授予用户访问权限的名称空间中创建Roles(或ClusterRole)和RoleBindings.
To achieve this, you have to create Roles (or a ClusterRole) and RoleBindings in those namespaces that you want to grant access to the users.
在这里,您可以为dev和qa命名空间中的dev-team用户授予对所有资源的访问权限,但拒绝对任何其他命名空间中的任何资源的访问.
Here is how you can grant access to all resources for the dev-team user in the dev and qa namespace but deny access to any resources in any other namespace.
创建一个ClusterRole(您也可以在dev和qa名称空间中创建一个Role,但是使用ClusterRole允许您仅定义一次权限,然后从多个RoleBindings中引用它).
Create a ClusterRole (you could also create a Role in the dev and qa namespaces, but using a ClusterRole allows you to define the permissions only once and then reference it from multiple RoleBindings):
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dev-team-users
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
在dev和qa命名空间中创建一个RoleBinding:
Create a RoleBinding in both the dev and qa namespaces:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: dev-team-user-bindings
namespace: dev
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dev-team-users
subjects:
- kind: User
name: dev-team
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: dev-team-user-bindings
namespace: qa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dev-team-users
subjects:
- kind: User
name: dev-team
apiGroup: rbac.authorization.k8s.io
测试访问权限:
kubectl get pods -n qa --as=dev-team # Succeeds
kubectl get pods -n dev --as=dev-team # Succeeds
kubectl get pods -n default --as=dev-team # Fails
kubectl get pods -n kube-system --as=dev-team # Fails
请参见 Kubernetes RBAC文档.
1.识别用户创建的名称空间
无法通过RBAC执行此操作.您需要某种形式的审核.
Can't do this with RBAC. You would need some form of auditing.
2.标识用户有权访问的名称空间
使用RBAC也不容易做到这一点.但是您可以遍历所有名称空间并测试给定用户是否具有访问权限:
Also can't do this easily with RBAC. But you could just iterate through all namespaces and test whether a given user has access:
for n in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}'); do
echo -n "$n: "
kubectl auth can-i get pods -n "$n" --as=dev-team
done
您可以根据需要更改动词/资源部分(例如get pods).
You can vary the verb/resource part (e.g. get pods) as needed.
这篇关于通过访问限制列出的Kubernetes命名空间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
