kuberbetes系统:发现角色机制

问题描述 投票:0回答:1

我想了解system:discovery角色在kubernetes中是如何工作的。我可以在下面看到非资源url是system:discovery角色中包含的特权

root@kubemas:~# kubectl describe clusterrole system:discovery
Name:         system:discovery
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
             [/api/*]           []              [get]
             [/api]             []              [get]
             [/apis/*]          []              [get]
             [/apis]            []              [get]
             [/healthz]         []              [get]
             [/livez]           []              [get]
             [/openapi/*]       []              [get]
             [/openapi]         []              [get]
             [/readyz]          []              [get]
             [/version/]        []              [get]
             [/version]         []              [get]

来自clusterrolebinding描述,

root@kubemas:~# kubectl describe clusterrolebindings.rbac.authorization.k8s.io system:discovery
Name:         system:discovery
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  system:discovery
Subjects:
  Kind   Name                  Namespace
  ----   ----                  ---------
  Group  system:authenticated

我只能看到system:authenticated组可以访问非资源URL。如果我执行以下命令,我可以理解,请求用户是system:anonymous,该用户属于group system:unthenticated,因此不允许查看输出

root@kubemas:~# curl -k https://192.168.56.101:6443/api
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/api\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403

但是我在下面的请求中也期望得到同样的结果,我正试图获得同样没有资源URL的kubernetes版本。但是我能够无错误地获得版本输出。所以这是如何工作的。是我被误解了这种机制?

root@kubemas:~# curl -k https://192.168.56.101:6443/version
{
  "major": "1",
  "minor": "18",
  "gitVersion": "v1.18.3",
  "gitCommit": "2e7996e3e2712684bc73f0dec0200d64eec7fe40",
  "gitTreeState": "clean",
  "buildDate": "2020-05-20T12:43:34Z",
  "goVersion": "go1.13.9",
  "compiler": "gc",
  "platform": "linux/amd64"
}root@kubemas:~#
kubernetes rbac
1个回答
0
投票

system:public-info-viewer是可访问/version的簇角色。该团簇与system:authenticatedsystem:unauthenticated基团结合。

来自docs

此簇允许对非敏感信息进行只读访问关于集群。在Kubernetes v1.14中引入。

kubectl get clusterrole system:public-info-viewer -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2020-05-25T10:43:55Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:public-info-viewer
  resourceVersion: "48"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/system%3Apublic-info-viewer
  uid: c8f5feb1-bf63-4b51-a470-f4f968f8fabd
rules:
- nonResourceURLs:
  - /healthz
  - /livez
  - /readyz
  - /version
  - /version/
  verbs:
  - get
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.