Kubernetes 检查服务帐户权限 [英] Kubernetes check serviceaccount permissions

问题描述

通过 Helm Chart 部署服务时，安装失败，因为 tiller serviceaccount 不允许创建 ServiceMonitor 资源.

When deploying a service via a Helm Chart, the installation failed because the tiller serviceaccount was not allowed to create a ServiceMonitor resource.

注意:

• ServiceMonitor 是 Prometheus Operator 定义的 CRD，用于自动获取 Pod 中正在运行的容器的指标.
• Helm Tiller 安装在单个命名空间中，并且已使用 Role 和 RoleBinding 设置了 RBAC.

• ServiceMonitor is a CRD defined by the Prometheus Operator to automagically get metrics of running containers in Pods.
• Helm Tiller is installed in a single namespace and the RBAC has been setup using Role and RoleBinding.

我想验证 tiller 服务帐户的权限.
kubectl 有 auth can-i 命令，这样的查询(见下文)总是返回 no.

I wanted to verify the permissions of the tiller serviceaccount.
kubectl has the auth can-i command, queries like these (see below) always return no.

• kubectl auth can-i list deployment --as=tiller
• kubectl auth can-i list deployment --as=staging:tiller

检查服务帐户权限的正确方法是什么?
如何启用tiller账号创建ServiceMonitor资源?

What is the proper way to check permissions for a serviceaccount?
How to enable the tiller account to create a ServiceMonitor resource?

推荐答案

在尝试了很多东西并在整个宇宙中搜索后，我终于找到了 这篇关于使用 RBAC 和 PSP 保护集群的博文，其中给出了如何检查服务帐户访问权限的示例.

After trying lots of things and Googling all over the universe I finally found this blogpost about Securing your cluster with RBAC and PSP where an example is given how to check access for serviceaccounts.

正确的命令是:
kubectl auth can-i <动词><资源>--as=system:serviceaccount::[-n <命名空间>]

检查tiller账号是否有权创建ServiceMonitor对象:
kubectl auth can -i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging

To check whether the tiller account has the right to create a ServiceMonitor object:
kubectl auth can-i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging

注意:为了解决我的 tiller 帐户问题，我必须添加对 monitoring.coreos.comservicemonitors 资源的权限> api 组.更改后，上述命令返回 yes(最终)，我们的 Helm Chart 安装成功.

Note: to solve my issue with the tiller account, I had to add rights to the servicemonitors resource in the monitoring.coreos.com apiGroup. After that change, the above command returned yes (finally) and the installation of our Helm Chart succeeded.

更新了 tiller-manager 角色:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-manager
  labels:
    org: ipos
    app: tiller
  annotations:
    description: "Role to give Tiller appropriate access in namespace"
    ref: "https://docs.helm.sh/using_helm/#example-deploy-tiller-in-a-namespace-restricted-to-deploying-resources-only-in-that-namespace"
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups:
    - monitoring.coreos.com
  resources:
    - servicemonitors
  verbs:
    - '*'

这篇关于Kubernetes 检查服务帐户权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！