如何使用 curl 查看 SelfSubjectRulesReview 的资源权限?

问题描述 投票:0回答:1

在Kubernetes中,您可以使用 auth can-i 命令来检查你是否有某个资源的权限。例如,我可以在worker上使用这样的命令。 

kubectl --kubeconfig /etc/kubernetes/kubelet.conf auth can-i get pods -v 9

它将检查你是否有查看豆荚的权限,当你添加了... -v 标志,它显示的是详细的输出。 

...
curl -k -v -XPOST  -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.18.0 (linux/amd64) kubernetes/9e99141" 'https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'

我想使用这个REST API与 curl 而它不工作。 

curl --cacert /etc/kubernetes/pki/ca.crt \
     --cert /var/lib/kubelet/pki/kubelet-client-current.pem \
     --key /var/lib/kubelet/pki/kubelet-client-current.pem \
     -d @- \
     -H "Content-Type: application/json" \
     -H "Accept: application/json, */*" \
     -XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
   "kind":"SelfSubjectAccessReview",
   "apiVersion":"authorization.k8s.io/v1",
   "metadata":{
      "creationTimestamp":null
   },
   "spec":{
      "namespace":"default"
   },
   "status":{
      "allowed":true
   }
}
EOF

如果失败并出现错误: 

  "status": "Failure",
  "message": "SelfSubjectAccessReview in version \"v1\" cannot be handled as a SelfSubjectRulesReview: converting (v1.SelfSubjectAccessReview).v1.SelfSubjectAccessReviewSpec to (authorization.SelfSubjectRulesReview).authorization.SelfSubjectRulesReviewSpec: Namespace not present in src",
  "reason": "BadRequest",
  "code": 400

我如何使用SelfSubjectRulesReview API与curl查看资源权限?

感谢@HelloWorld,我找到了问题所在,问题在于selfsubjectaccessreviews与selfsubjectrulesreviews之间的不同。我将把2个工作 curl 例子。

1) 自我主体访问审查 例子,查看该账户是否有以下权限。

curl --cacert /etc/kubernetes/pki/ca.crt \
     --cert /var/lib/kubelet/pki/kubelet-client-current.pem \
     --key /var/lib/kubelet/pki/kubelet-client-current.pem \
     -d @- \
     -H "Content-Type: application/json" \
     -H 'Accept: application/json, */*' \
     -XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews <<'EOF'
{
   "kind":"SelfSubjectAccessReview",
   "apiVersion":"authorization.k8s.io/v1",
   "metadata":{
      "creationTimestamp":null
   },
   "spec":{
      "resourceAttributes":{
         "namespace":"default",
         "verb":"get",
         "resource":"pods"
      }
   },
   "status":{
   }
}
EOF

2) 自我主体规则审查 例子来查看账户在默认命名空间上的所有权限。 

curl --cacert /etc/kubernetes/pki/ca.crt \
     --cert /var/lib/kubelet/pki/kubelet-client-current.pem \
     --key /var/lib/kubelet/pki/kubelet-client-current.pem \
     -d @- \
     -H "Content-Type: application/json" \
     -H 'Accept: application/json, */*' \
     -XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
   "kind":"SelfSubjectRulesReview",
   "apiVersion":"authorization.k8s.io/v1",
   "metadata":{
      "creationTimestamp":null
   },
   "spec":{
     "namespace":"default"
   },
   "status":{
   }
}
EOF
rest curl post kubernetes api-design
1个回答
1
投票

注意,kubectl verbose在输出中会显示这个url。

https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews

而你是卷曲的。

https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews

你能注意到区别吗?访问评论 与自我主体规则审查.

把网址改成正确的,就可以了。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.