通过访问限制列出的Kubernetes命名空间

问题描述 投票:0回答:1

我有一组users(dev-team),只需要访问devqa命名空间。我创建了一个服务帐户,集群角色和集群角色绑定,如下所示。

服务帐户

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-team

集群角色

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: dev-team-users
rules:
  - apiGroups: ["rbac.authorization.k8s.io",""]
    resources: ["namespaces"]
    resourceNames: ["dev","qa"]
    verbs: ["get","list","create"]

集群角色绑定

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: dev-team-user-bindings
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dev-team-users
subjects:
- kind: User
  name: dev-team
  namespace: kube-system
  apiGroup: rbac.authorization.k8s.io

[当我尝试验证访问权限时kubectl get namespaces --as=dev-team

我收到以下错误消息

Error from server (Forbidden): namespaces is forbidden: User "dev-team" cannot list resource "namespaces" in API group "" at the cluster scope

我希望只显示devqa名称空间。我在这里想念什么吗?

kubernetes rbac
1个回答
0
投票

list操作失败,因为您正在使用ClusterRole中的resourceNames字段来限制名称空间对象也授予访问权限,但是list将返回all命名空间对象。

但是我想您真正想要的是限制对资源[[in的访问,而不是名称空间对象本身(其包含的信息不多于名称空间的名称)。] >要实现这一点,您必须在要授予用户访问权限的名称空间中创建Roles(或ClusterRole)和RoleBindings。

这里是如何允许dev-teamdev名称空间中的qa用户进行

all

操作,但拒绝任何其他名称空间中的任何操作。创建ClusterRole(您也可以在devqa命名空间中创建角色,但是使用ClusterRole允许您仅定义一次权限,然后从多个RoleBindings中引用它:

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: dev-team-users rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*' 

同时在devqa名称空间中创建RoleBinding:

apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: dev-team-user-bindings namespace: dev roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: dev-team-users subjects: - kind: User name: dev-team apiGroup: rbac.authorization.k8s.io 

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: dev-team-user-bindings
  namespace: qa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dev-team-users
subjects:
- kind: User
  name: dev-team
  apiGroup: rbac.authorization.k8s.io

测试访问:

kubectl get pods -n qa --as=dev-team # Succeeds kubectl get pods -n dev --as=dev-team # Succeeds kubectl get pods -n default --as=dev-team # Fails kubectl get pods -n kube-system --as=dev-team # Fails

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.