在Kubernetes中,您可以使用 auth can-i
命令来检查你是否有某个资源的权限。例如,我可以在worker上使用这样的命令。
kubectl --kubeconfig /etc/kubernetes/kubelet.conf auth can-i get pods -v 9
它将检查你是否有查看豆荚的权限,当你添加了... -v
标志,它显示的是详细的输出。
...
curl -k -v -XPOST -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.18.0 (linux/amd64) kubernetes/9e99141" 'https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
我想使用这个REST API与 curl
而它不工作。
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H "Accept: application/json, */*" \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
"kind":"SelfSubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"namespace":"default"
},
"status":{
"allowed":true
}
}
EOF
如果失败并出现错误:
"status": "Failure",
"message": "SelfSubjectAccessReview in version \"v1\" cannot be handled as a SelfSubjectRulesReview: converting (v1.SelfSubjectAccessReview).v1.SelfSubjectAccessReviewSpec to (authorization.SelfSubjectRulesReview).authorization.SelfSubjectRulesReviewSpec: Namespace not present in src",
"reason": "BadRequest",
"code": 400
我如何使用SelfSubjectRulesReview API与curl查看资源权限?
感谢@HelloWorld,我找到了问题所在,问题在于selfsubjectaccessreviews与selfsubjectrulesreviews之间的不同。我将把2个工作 curl
例子。
1) 自我主体访问审查 例子,查看该账户是否有以下权限。
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H 'Accept: application/json, */*' \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews <<'EOF'
{
"kind":"SelfSubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"resourceAttributes":{
"namespace":"default",
"verb":"get",
"resource":"pods"
}
},
"status":{
}
}
EOF
2) 自我主体规则审查 例子来查看账户在默认命名空间上的所有权限。
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H 'Accept: application/json, */*' \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
"kind":"SelfSubjectRulesReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"namespace":"default"
},
"status":{
}
}
EOF
注意,kubectl verbose在输出中会显示这个url。
https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews
而你是卷曲的。
https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews
你能注意到区别吗?访问评论 与自我主体规则审查.
把网址改成正确的,就可以了。