kubernetes - kubernetes权限结果不一致

我创建了一个服务帐户，一个角色和一个将角色附加到SA的角色绑定(bind)。
我正在尝试让服务帐户列出节点，但是我不能，尽管auth call 告诉我可以(对于部署，最糟糕的是，角色确实允许它，但是我什么也不能做):

#pods
Simons-MBP:psp simon$ kubectl  --as=system:serviceaccount:psp-ns:sa-test auth can-i get pods
yes
Simons-MBP:psp simon$ kubectl  --as=system:serviceaccount:psp-ns:sa-test get pods
NAME      READY   STATUS                       RESTARTS   AGE
no-st-1   0/1     CreateContainerConfigError   0          74m <<--ignore the ConfigError, this is expected.

# nodes
Simons-MBP:psp simon$ kubectl  --as=system:serviceaccount:psp-ns:sa-test auth can-i get nodes
Warning: resource 'nodes' is not namespace scoped
yes       <<<<------ ?? i can get nodes, but then i can't??
Simons-MBP:psp simon$ kubectl  --as=system:serviceaccount:psp-ns:sa-test get nodes
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:psp-ns:sa-test" cannot list resource "nodes" in API group "" at the cluster scope

#deployments (at least this one is consistent, although the role should allow this)
Simons-MBP:psp simon$ kubectl  --as=system:serviceaccount:psp-ns:sa-test auth can-i get deployments
no
Simons-MBP:psp simon$ kubectl  --as=system:serviceaccount:psp-ns:sa-test get deployments
Error from server (Forbidden): deployments.apps is forbidden: User "system:serviceaccount:psp-ns:sa-test" cannot list resource "deployments" in API group "apps" in the namespace "psp-ns"

我使用的角色应允许上述所有3种操作:

Simons-MBP:psp simon$ kubectl describe role test-sa-role
Name:         test-sa-role
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"test-sa-role","namespace":"psp-ns"},"rules...
PolicyRule:
  Resources    Non-Resource URLs  Resource Names  Verbs
  ---------    -----------------  --------------  -----
  deployments  []                 []              [list get]
  nodes        []                 []              [list get]
  pods         []                 []              [list get]

最后是角色绑定(bind)，表明该角色已附加到该服务帐户:

Simons-MBP:psp simon$ kubectl describe rolebinding rb-test
Name:         rb-test
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"rb-test","namespace":"psp-ns"},"rol...
Role:
  Kind:  Role
  Name:  test-sa-role
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  sa-test  psp-ns

为什么会这样呢？我期望能够获得所有节点/ pods /部署，并且auth can-i返回我尝试的所有 call 的yes。

最佳答案

Simons-MBP:psp simon$ kubectl  --as=system:serviceaccount:psp-ns:sa-test auth can-i get nodes

上面的命令仅检查ClusterRole，Role和RoleBinding定义了什么，并且由于您有一个Role可以访问节点，因此它返回yes。它并没有真正考虑node是集群处理的资源这一事实，因此应该使用ClusterRole而不是Role。
导致无法访问部署的原因是因为您可能在角色中包含apiGroups: [""]，但是部署在apps API组中。还要在命令中显式使用命名空间psp-ns

Simons-MBP:psp simon$ kubectl  --as=system:serviceaccount:psp-ns:sa-test auth can-i get deployments -n psp-ns

要访问node，您需要一个ClusterRole而不是Role，因为node是集群处理的资源。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: node-clusterrole
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: psp-ns
  name: deployment-role
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "watch", "list"]

接着

创建一个RoleBinding或ClusterRoleBinding以将上述ClusterRole node-clusterrole绑定(bind)到服务帐户。

创建一个RoleBinding以将上述角色deployment-role绑定(bind)到服务帐户