roles.rbac.authorization.k8s.io 即使在 apiGroups 中也被禁止
roles.rbac.authorization.k8s.io is forbidden even added in apiGroups
我是 运行 kubernetes v1.11.5,我正在安装 helm 并为每个命名空间部署一个 tiller。
让我们关注一个命名空间。这是 tiller 服务帐户配置:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: marketplace-int
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
namespace: marketplace-int
rules:
- apiGroups:
- ""
- extensions
- apps
- rbac.authorization.k8s.io
- roles.rbac.authorization.k8s.io
- authorization.k8s.io
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-binding
namespace: marketplace-int
subjects:
- kind: ServiceAccount
name: tiller
namespace: marketplace-int
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io
当我尝试部署图表时出现此错误:
Error: release citest failed: roles.rbac.authorization.k8s.io "marketplace-int-role-ns-admin" is forbidden:
attempt to grant extra privileges:
[{[*] [*] [*] [] []}] user=&{system:serviceaccount:marketplace-int:tiller 5c6af739-1023-11e9-a245-0ab514dfdff4
[system:serviceaccounts system:serviceaccounts:marketplace-int system:authenticated] map[]}
ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []}
{[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}
{[*] [ extensions apps rbac.authorization.k8s.io roles.rbac.authorization.k8s.io authorization.k8s.io] [*] [] []}] ruleResolutionErrors=[]
尝试为该命名空间(使用 tiller sa)创建 rbac 配置时出现错误:
# Source: marketplace/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: citest
chart: marketplace-0.1.0
heritage: Tiller
release: citest
namespace: marketplace-int
name: marketplace-int-role-ns-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
错误消息清楚地表明分柄服务帐户没有 roles.rbac.authorization.k8s.io 的权限,但如前所示已授予该权限。
$kubectl describe role tiller-manager
Name: tiller-manager
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"tiller-manager","namespace":"marketplace-i...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [*]
*.apps [] [] [*]
*.authorization.k8s.io [] [] [*]
*.extensions [] [] [*]
*.rbac.authorization.k8s.io [] [] [*]
*.roles.rbac.authorization.k8s.io [] [] [*]
老实说,我不完全理解检查 ownerrules 是否正常的错误消息,我试图找出这种似乎与角色描述:{[*] [*] [*] [] []}
关于我缺少哪些权限的任何线索?
首先你需要给tiller SA cluster-admin权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: marketplace-int
将 cluster-admin 角色分配给 tiller SA 后,您应该能够创建该角色。
您应该能够在同一个命名空间中创建角色。我自己尝试过,这意味着使用您在问题中描述的相同角色创建一个角色并且我能够成功完成(我将我的命名空间更改为测试),所以我认为它与您的角色定义无关但如何tiller 正在使用该特定服务帐户创建新内容。
# With an cluster-admin cluster role
$ echo '---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: test
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
namespace: test
rules:
- apiGroups:
- ""
- extensions
- apps
- rbac.authorization.k8s.io
- roles.rbac.authorization.k8s.io
- authorization.k8s.io
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-binding
namespace: test
subjects:
- kind: ServiceAccount
name: tiller
namespace: test
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io' | kubectl apply -f -
然后:
$ kubectl -n test describe secret tiller-token-xxxxx
Name: tiller-token-xxxx
Namespace: test
Labels: <none>
Annotations: kubernetes.io/service-account.name: tiller
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 4 bytes
token: <my-token>
然后:
$ mv ~/.kube ~/.kube.tmp
$ echo 'apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: citest
chart: marketplace-0.1.0
heritage: Tiller
release: citest
namespace: test
name: marketplace-int-role-ns-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]' | kubectl -n test --token <your-token> --server <your-kubeapiserver> apply -f -
role.rbac.authorization.k8s.io/marketplace-int-role-ns-admin created
这是由于 RBAC 中的权限升级预防。有关详细信息,请参阅 https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping。
创建角色对象的权限是必要的,但还不够。
如果至少满足以下条件之一,则用户只能 create/update 一个角色:
他们已经拥有角色中包含的所有权限,在与正在修改的对象相同的范围内(ClusterRole 在集群范围内,在相同的命名空间内或角色在集群范围内) .在您的情况下,这意味着尝试创建角色的用户必须已经在其尝试创建角色的名称空间内具有 apiGroups=*, resources=*, verbs=* 权限。您可以通过使用角色绑定将 cluster-admin clusterrole 授予该名称空间中的服务帐户来授予此权限。
他们被授予对 rbac.authorization.k8s.io API 组中的角色或集群角色资源执行 "escalate" 动词的明确许可( Kubernetes 1.12 及更新版本)
我是 运行 kubernetes v1.11.5,我正在安装 helm 并为每个命名空间部署一个 tiller。 让我们关注一个命名空间。这是 tiller 服务帐户配置:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: marketplace-int
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
namespace: marketplace-int
rules:
- apiGroups:
- ""
- extensions
- apps
- rbac.authorization.k8s.io
- roles.rbac.authorization.k8s.io
- authorization.k8s.io
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-binding
namespace: marketplace-int
subjects:
- kind: ServiceAccount
name: tiller
namespace: marketplace-int
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io
当我尝试部署图表时出现此错误:
Error: release citest failed: roles.rbac.authorization.k8s.io "marketplace-int-role-ns-admin" is forbidden:
attempt to grant extra privileges:
[{[*] [*] [*] [] []}] user=&{system:serviceaccount:marketplace-int:tiller 5c6af739-1023-11e9-a245-0ab514dfdff4
[system:serviceaccounts system:serviceaccounts:marketplace-int system:authenticated] map[]}
ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []}
{[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}
{[*] [ extensions apps rbac.authorization.k8s.io roles.rbac.authorization.k8s.io authorization.k8s.io] [*] [] []}] ruleResolutionErrors=[]
尝试为该命名空间(使用 tiller sa)创建 rbac 配置时出现错误:
# Source: marketplace/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: citest
chart: marketplace-0.1.0
heritage: Tiller
release: citest
namespace: marketplace-int
name: marketplace-int-role-ns-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
错误消息清楚地表明分柄服务帐户没有 roles.rbac.authorization.k8s.io 的权限,但如前所示已授予该权限。
$kubectl describe role tiller-manager
Name: tiller-manager
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"tiller-manager","namespace":"marketplace-i...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [*]
*.apps [] [] [*]
*.authorization.k8s.io [] [] [*]
*.extensions [] [] [*]
*.rbac.authorization.k8s.io [] [] [*]
*.roles.rbac.authorization.k8s.io [] [] [*]
老实说,我不完全理解检查 ownerrules 是否正常的错误消息,我试图找出这种似乎与角色描述:{[*] [*] [*] [] []}
关于我缺少哪些权限的任何线索?
首先你需要给tiller SA cluster-admin权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: marketplace-int
将 cluster-admin 角色分配给 tiller SA 后,您应该能够创建该角色。
您应该能够在同一个命名空间中创建角色。我自己尝试过,这意味着使用您在问题中描述的相同角色创建一个角色并且我能够成功完成(我将我的命名空间更改为测试),所以我认为它与您的角色定义无关但如何tiller 正在使用该特定服务帐户创建新内容。
# With an cluster-admin cluster role
$ echo '---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: test
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
namespace: test
rules:
- apiGroups:
- ""
- extensions
- apps
- rbac.authorization.k8s.io
- roles.rbac.authorization.k8s.io
- authorization.k8s.io
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-binding
namespace: test
subjects:
- kind: ServiceAccount
name: tiller
namespace: test
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io' | kubectl apply -f -
然后:
$ kubectl -n test describe secret tiller-token-xxxxx
Name: tiller-token-xxxx
Namespace: test
Labels: <none>
Annotations: kubernetes.io/service-account.name: tiller
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 4 bytes
token: <my-token>
然后:
$ mv ~/.kube ~/.kube.tmp
$ echo 'apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: citest
chart: marketplace-0.1.0
heritage: Tiller
release: citest
namespace: test
name: marketplace-int-role-ns-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]' | kubectl -n test --token <your-token> --server <your-kubeapiserver> apply -f -
role.rbac.authorization.k8s.io/marketplace-int-role-ns-admin created
这是由于 RBAC 中的权限升级预防。有关详细信息,请参阅 https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping。
创建角色对象的权限是必要的,但还不够。
如果至少满足以下条件之一,则用户只能 create/update 一个角色:
他们已经拥有角色中包含的所有权限,在与正在修改的对象相同的范围内(ClusterRole 在集群范围内,在相同的命名空间内或角色在集群范围内) .在您的情况下,这意味着尝试创建角色的用户必须已经在其尝试创建角色的名称空间内具有
apiGroups=*, resources=*, verbs=*权限。您可以通过使用角色绑定将 cluster-admin clusterrole 授予该名称空间中的服务帐户来授予此权限。他们被授予对 rbac.authorization.k8s.io API 组中的角色或集群角色资源执行 "escalate" 动词的明确许可( Kubernetes 1.12 及更新版本)