通过访问限制列出的Kubernetes命名空间

通过访问限制列出的Kubernetes命名空间

本文介绍了通过访问限制列出的Kubernetes命名空间的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一组users(dev-team),只需要访问devqa命名空间.我创建了一个服务帐户,集群角色和集群角色绑定,如下所示.

I have a set of users(dev-team) who need access only to dev and qa namespaces. I created a service account, cluster role and cluster role binding as shown below.

服务帐户

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-team

集群角色

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: dev-team-users
rules:
  - apiGroups: ["rbac.authorization.k8s.io",""]
    resources: ["namespaces"]
    resourceNames: ["dev","qa"]
    verbs: ["get","list","create"]

集群角色绑定

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: dev-team-user-bindings
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dev-team-users
subjects:
- kind: User
  name: dev-team
  namespace: kube-system
  apiGroup: rbac.authorization.k8s.io

当我尝试验证访问权限时kubectl get namespaces --as=dev-team

When I try to verify the accesskubectl get namespaces --as=dev-team

我收到以下错误消息

Error from server (Forbidden): namespaces is forbidden: User "dev-team" cannot list resource "namespaces" in API group "" at the cluster scope

我希望仅显示devqa命名空间.我在这里想念东西吗?

I am expecting to see only dev and qa namespaces to show up. Am I missing something here?

推荐答案

list 操作失败,因为您正在使用ClusterRole中的resourceNames字段来限制名称空间对象以授予访问权限,但 list 将返回 all 名称空间对象.

The list operation fails because you are using the resourceNames field in the ClusterRole to restrict the namespace objects to grant access too but list would return all namespace objects.

但是我想您真正想要的是限制对命名空间中的资源的访问,而不是对命名空间对象本身的限制(其中所包含的信息比命名空间的名称少得多) ).

要实现此目的,必须在要授予用户访问权限的名称空间中创建Roles(或ClusterRole)和RoleBindings.

To achieve this, you have to create Roles (or a ClusterRole) and RoleBindings in those namespaces that you want to grant access to the users.

在这里,您可以为devqa命名空间中的dev-team用户授予对所有资源的访问权限,但拒绝对任何其他命名空间中的任何资源的访问.

Here is how you can grant access to all resources for the dev-team user in the dev and qa namespace but deny access to any resources in any other namespace.

创建一个ClusterRole(您也可以在devqa名称空间中创建一个Role,但是使用ClusterRole允许您仅定义一次权限,然后从多个RoleBindings中引用它).

Create a ClusterRole (you could also create a Role in the dev and qa namespaces, but using a ClusterRole allows you to define the permissions only once and then reference it from multiple RoleBindings):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dev-team-users
rules:
- apiGroups:
    - '*'
  resources:
  - '*'
  verbs:
  - '*'

devqa命名空间中创建一个RoleBinding:

Create a RoleBinding in both the dev and qa namespaces:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: dev-team-user-bindings
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dev-team-users
subjects:
- kind: User
  name: dev-team
  apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: dev-team-user-bindings
  namespace: qa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dev-team-users
subjects:
- kind: User
  name: dev-team
  apiGroup: rbac.authorization.k8s.io

测试访问权限:

kubectl get pods -n qa --as=dev-team           # Succeeds
kubectl get pods -n dev --as=dev-team          # Succeeds
kubectl get pods -n default --as=dev-team      # Fails
kubectl get pods -n kube-system --as=dev-team  # Fails

请参见 Kubernetes RBAC文档.

1.识别用户创建的名称空间

无法通过RBAC执行此操作.您需要某种形式的审核.

Can't do this with RBAC. You would need some form of auditing.

2.标识用户有权访问的名称空间

使用RBAC也不容易做到这一点.但是您可以遍历所有名称空间并测试给定用户是否具有访问权限:

Also can't do this easily with RBAC. But you could just iterate through all namespaces and test whether a given user has access:

for n in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}'); do
  echo -n "$n: "
  kubectl auth can-i get pods -n "$n" --as=dev-team
done

您可以根据需要更改动词/资源部分(例如get pods).

You can vary the verb/resource part (e.g. get pods) as needed.

这篇关于通过访问限制列出的Kubernetes命名空间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-22 20:36