Kubernetes RBAC“允许使用RoleBinding”但“无法列出资源”

问题描述 投票:0回答:1

我正在将应用程序部署到我的Kubernetes集群,该应用程序使用Kubernetes API列出集群中的Pod(不仅是其命名空间中的Pod)。该应用程序将位于其自己的名称空间中。

RBAC规则如下;

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: kubecontrol-rbac-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: kubecontrol-rbac-role-binding
  namespace: kubecontrol
subjects:
  - kind: ServiceAccount
    namespace: kubecontrol
    name: default
roleRef:
  kind: ClusterRole
  name: kubecontrol-rbac-role
  apiGroup: rbac.authorization.k8s.io

[您可以看到我有一个ClusterRole,它授予“ pods”资源的“列表”,“获取”和“监视”权限,以及一个RoleBinding,它将这个ClusterRole应用于命名空间的default ServiceAccount。 >

当我用kubectl auth can-in检查授权时,此配置将appear

正确;
$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods
yes

$ kubectl -n kubecontrol auth can-i --as=system:serviceaccount:kubecontrol:default list pods --v=8
...
I0326 23:17:05.125188   56505 request.go:947] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"kubecontrol","verb":"list","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"kubecontrol-rbac-role-binding/kubecontrol\" of ClusterRole \"kubecontrol-rbac-role\" to ServiceAccount \"default/kubecontrol\""}}

RBAC:由ClusterRole“ kubecontrol-rbac-role”的RoleBinding“ kubecontrol-rbac-role-binding / kubecontrol”允许到ServiceAccount“ default / kubecontrol”

但是,当我实际尝试执行该操作时,被告知我不允许这样做;

$ kubectl get pod --as=system:serviceaccount:kubecontrol:default --all-namespaces
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:kubecontrol:default" cannot list resource "pods" in API group "" at the cluster scope

我在应用程序中看到相同的错误消息。

用户(system:serviceaccount:kubecontrol:default)在两种情况下都是相同的,所以即使根据Kubernetes本身,我为什么也不能list pods

?有什么我想念的吗?

我正在将应用程序部署到我的Kubernetes集群,该应用程序使用Kubernetes API列出集群中的Pod(不仅是其命名空间中的Pod)。该应用程序将位于其自己的名称空间中。 ...

kubernetes kubectl rbac
1个回答
0
投票

使用--all-namespaces,您将在集群的所有名称空间中列出Pod。但是,由于仅使用了RoleBinding,因此仅具有给定名称空间(在您的情况下是名称空间ClusterRole)的kubecontrol权限。您必须使用ClusterRoleBinding代替整个群集的ClusterRole

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.