我想了解system:discovery角色在kubernetes中是如何工作的。我可以在下面看到非资源url是system:discovery角色中包含的特权
root@kubemas:~# kubectl describe clusterrole system:discovery
Name: system:discovery
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version] [] [get]
来自clusterrolebinding描述,
root@kubemas:~# kubectl describe clusterrolebindings.rbac.authorization.k8s.io system:discovery
Name: system:discovery
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
Role:
Kind: ClusterRole
Name: system:discovery
Subjects:
Kind Name Namespace
---- ---- ---------
Group system:authenticated
我只能看到system:authenticated组可以访问非资源URL。如果我执行以下命令,我可以理解,请求用户是system:anonymous,该用户属于group system:unthenticated,因此不允许查看输出
root@kubemas:~# curl -k https://192.168.56.101:6443/api
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/api\"",
"reason": "Forbidden",
"details": {
},
"code": 403
但是我在下面的请求中也期望得到同样的结果,我正试图获得同样没有资源URL的kubernetes版本。但是我能够无错误地获得版本输出。所以这是如何工作的。是我被误解了这种机制?
root@kubemas:~# curl -k https://192.168.56.101:6443/version
{
"major": "1",
"minor": "18",
"gitVersion": "v1.18.3",
"gitCommit": "2e7996e3e2712684bc73f0dec0200d64eec7fe40",
"gitTreeState": "clean",
"buildDate": "2020-05-20T12:43:34Z",
"goVersion": "go1.13.9",
"compiler": "gc",
"platform": "linux/amd64"
}root@kubemas:~#
system:public-info-viewer
是可访问/version
的簇角色。该团簇与system:authenticated
和system:unauthenticated
基团结合。
来自docs
此簇允许对非敏感信息进行只读访问关于集群。在Kubernetes v1.14中引入。
kubectl get clusterrole system:public-info-viewer -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2020-05-25T10:43:55Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:public-info-viewer
resourceVersion: "48"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/system%3Apublic-info-viewer
uid: c8f5feb1-bf63-4b51-a470-f4f968f8fabd
rules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
- /version
- /version/
verbs:
- get