Kubernetes 检查服务帐户权限 [英] Kubernetes check serviceaccount permissions
问题描述
通过 Helm Chart 部署服务时,安装失败,因为 tiller
serviceaccount 不允许创建 ServiceMonitor
资源.
When deploying a service via a Helm Chart, the installation failed because the tiller
serviceaccount was not allowed to create a ServiceMonitor
resource.
注意:
ServiceMonitor
是 Prometheus Operator 定义的 CRD,用于自动获取 Pod 中正在运行的容器的指标.- Helm Tiller 安装在单个命名空间中,并且已使用 Role 和 RoleBinding 设置了 RBAC.
ServiceMonitor
is a CRD defined by the Prometheus Operator to automagically get metrics of running containers in Pods.- Helm Tiller is installed in a single namespace and the RBAC has been setup using Role and RoleBinding.
我想验证 tiller
服务帐户的权限.kubectl
有 auth can-i
命令,这样的查询(见下文)总是返回 no
.
I wanted to verify the permissions of the tiller
serviceaccount.
kubectl
has the auth can-i
command, queries like these (see below) always return no
.
kubectl auth can-i list deployment --as=tiller
kubectl auth can-i list deployment --as=staging:tiller
检查服务帐户权限的正确方法是什么?
如何启用tiller
账号创建ServiceMonitor资源?
What is the proper way to check permissions for a serviceaccount?
How to enable the tiller
account to create a ServiceMonitor resource?
推荐答案
在尝试了很多东西并在整个宇宙中搜索后,我终于找到了 这篇关于使用 RBAC 和 PSP 保护集群的博文,其中给出了如何检查服务帐户访问权限的示例.
After trying lots of things and Googling all over the universe I finally found this blogpost about Securing your cluster with RBAC and PSP where an example is given how to check access for serviceaccounts.
正确的命令是:kubectl auth can-i <动词><资源>--as=system:serviceaccount:
检查tiller
账号是否有权创建ServiceMonitor
对象:kubectl auth can -i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging
To check whether the tiller
account has the right to create a ServiceMonitor
object:
kubectl auth can-i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging
注意:为了解决我的 tiller
帐户问题,我必须添加对 monitoring.coreos.com
servicemonitors 资源的权限> api 组.更改后,上述命令返回 yes
(最终),我们的 Helm Chart 安装成功.
Note: to solve my issue with the tiller
account, I had to add rights to the servicemonitors
resource in the monitoring.coreos.com
apiGroup. After that change, the above command returned yes
(finally) and the installation of our Helm Chart succeeded.
更新了 tiller-manager
角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
labels:
org: ipos
app: tiller
annotations:
description: "Role to give Tiller appropriate access in namespace"
ref: "https://docs.helm.sh/using_helm/#example-deploy-tiller-in-a-namespace-restricted-to-deploying-resources-only-in-that-namespace"
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- '*'
这篇关于Kubernetes 检查服务帐户权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!