我想了解一下system:discovery角色在kubernetes中是如何工作的,我可以看到下面的非资源url是system:discovery角色中包含的权限。
root@kubemas:~# kubectl describe clusterrole system:discovery
Name: system:discovery
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version] [] [get]
从clusterrolebinding描述中。
root@kubemas:~# kubectl describe clusterrolebindings.rbac.authorization.k8s.io system:discovery
Name: system:discovery
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: system:discovery
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:authenticated
我可以看到只有system:authenticated组才能访问非资源url.如果我执行下面的命令,我可以理解,请求用户是system:anonymous,它隶属于system:unathenticated组,所以不允许看到输出。
root@kubemas:~# curl -k https://192.168.56.101:6443/api
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/api\"",
"reason": "Forbidden",
"details": {
},
"code": 403
但我希望从下面的请求中得到同样的结果,我试图得到kubernetes的版本,这也是非资源url.但我可以无误地得到版本输出,所以这是如何工作的,我是否误解了这个机制?
root@kubemas:~# curl -k https://192.168.56.101:6443/version
{
"major": "1",
"minor": "18",
"gitVersion": "v1.18.3",
"gitCommit": "2e7996e3e2712684bc73f0dec0200d64eec7fe40",
"gitTreeState": "clean",
"buildDate": "2020-05-20T12:43:34Z",
"goVersion": "go1.13.9",
"compiler": "gc",
"platform": "linux/amd64"
}root@kubemas:~#
system:public-info-viewer
是提供访问权限的集群角色 /version
. 这个簇状ole必然是 system:authenticated
和 system:unauthenticated
组。由于它必然会 system:unauthenticated
组,您就可以访问它。
从 文件
该集群ole 允许只读访问集群的非敏感信息。在Kubernetes v1.14中引入。
kubectl describe clusterrole system:public-info-viewer
Name: system:public-info-viewer
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
[/healthz] [] [get]
[/livez] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version] [] [get]