如何使用 `kubectl auth can-i` 检查 "exec" 授权?
How can I check for "exec" authorization using `kubectl auth can-i`?
如何使用 kubectl auth can-i ... 检查 exec 授权?
虽然get、create、delete等被认为是动词,但exec不是,如下所示:
$ kubectl --kubeconfig=config-prod.yml auth can-i exec po
Warning: verb 'exec' is not a known verb
yes
exec授权是否包含在另一个授权中,如create?
通常当有人正在创建 RBAC 规则并想要检查哪些 verbs 可用于资源使用时:
$ kubectl api-resources -o wide | grep pods
pods po v1 true Pod [create delete deletecollection get list patch update watch]
然而,这还不是全部。如果您将使用如下不同的方法:
$ kubectl proxy &
Starting to serve on 127.0.0.1:8001
curl http://localhost:8001/api/v1
{
"kind": "APIResourceList",
"groupVersion": "v1",
"resources": [
{
...
### You will be able to find `pods` and verbs which can be used with pods
{
"name": "pods",
"singularName": "",
"namespaced": true,
"kind": "Pod",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
],
"shortNames": [
"po"
### But also `pod/exec` and `pod/logs`
{
"name": "pods/exec",
"singularName": "",
"namespaced": true,
"kind": "PodExecOptions",
"verbs": [
"create",
"get"
]
},
{
"name": "pods/log",
"singularName": "",
"namespaced": true,
"kind": "Pod",
"verbs": [
"get"
]
在 Using RBAC Authorization - Referring to resources 中您可以找到有关 subresource 的信息。
In the Kubernetes API, most resources are represented and accessed using a string representation of their object name, such as pods for a Pod. RBAC refers to resources using exactly the same name that appears in the URL for the relevant API endpoint. Some Kubernetes APIs involve a subresource, such as the logs for a Pod
在此文档中,您有一个 pods/logs 的示例,但 pods/exec.
的情况类似
如果您将使用命令:
$ kubectl auth can-i create pods/exec
yes
$ kubectl auth can-i get pods/exec
yes
## Or
$ kubectl auth can-i get pods --subresource=exec
yes
$ kubectl auth can-i create pods --subresource=exec
yes
以上输出不包括 Warning,因为我使用了 pods/exec 中的 verbs(get 和 create)。所以这是正确的语法,使用 verb 然后 subresource.
为什么两个输出都是yes?我使用了管理员角色。
如果您想进行一些测试,您可以创建 ServiceAccount(测试)、Role 和 RoleBinding。 Role 下面的 yamls:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-view-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-exec-view-role
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get"]
auth can-i 的输出:
$ kubectl auth can-i create pods/exec --as=system:serviceaccount:default:test
no
$ kubectl auth can-i get pods/exec --as=system:serviceaccount:default:test
yes
关于create pods/exec和get pods/exec的区别你可以查看github线程Users can exec into pods with the websocket endpoint even without pods/exec create privileges. Especially in @liggitt comment:
So the verb used with the pods/exec subresource is just supposed to indicate what HTTP method is used with that API endpoint?
这就是所有资源动词的工作方式(获取映射到特殊情况列表和观察中的特定动词)。参见 https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb
So an admin building an RBAC role is expected to look at the code and figure out which HTTP methods are supported for the websocket exec endpoint?
不,子资源和相关动词应包含在 API 文档中。这值得针对 https://github.com/kubernetes/website/issues/ 修复生成器以获取那些子资源
希望它回答了你的问题。如果您还有疑问,请告诉我。
如何使用 kubectl auth can-i ... 检查 exec 授权?
虽然get、create、delete等被认为是动词,但exec不是,如下所示:
$ kubectl --kubeconfig=config-prod.yml auth can-i exec po
Warning: verb 'exec' is not a known verb
yes
exec授权是否包含在另一个授权中,如create?
通常当有人正在创建 RBAC 规则并想要检查哪些 verbs 可用于资源使用时:
$ kubectl api-resources -o wide | grep pods
pods po v1 true Pod [create delete deletecollection get list patch update watch]
然而,这还不是全部。如果您将使用如下不同的方法:
$ kubectl proxy &
Starting to serve on 127.0.0.1:8001
curl http://localhost:8001/api/v1
{
"kind": "APIResourceList",
"groupVersion": "v1",
"resources": [
{
...
### You will be able to find `pods` and verbs which can be used with pods
{
"name": "pods",
"singularName": "",
"namespaced": true,
"kind": "Pod",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
],
"shortNames": [
"po"
### But also `pod/exec` and `pod/logs`
{
"name": "pods/exec",
"singularName": "",
"namespaced": true,
"kind": "PodExecOptions",
"verbs": [
"create",
"get"
]
},
{
"name": "pods/log",
"singularName": "",
"namespaced": true,
"kind": "Pod",
"verbs": [
"get"
]
在 Using RBAC Authorization - Referring to resources 中您可以找到有关 subresource 的信息。
In the Kubernetes API, most resources are represented and accessed using a string representation of their object name, such as pods for a Pod. RBAC refers to resources using exactly the same name that appears in the URL for the relevant API endpoint. Some Kubernetes APIs involve a subresource, such as the logs for a Pod
在此文档中,您有一个 pods/logs 的示例,但 pods/exec.
如果您将使用命令:
$ kubectl auth can-i create pods/exec
yes
$ kubectl auth can-i get pods/exec
yes
## Or
$ kubectl auth can-i get pods --subresource=exec
yes
$ kubectl auth can-i create pods --subresource=exec
yes
以上输出不包括 Warning,因为我使用了 pods/exec 中的 verbs(get 和 create)。所以这是正确的语法,使用 verb 然后 subresource.
为什么两个输出都是yes?我使用了管理员角色。
如果您想进行一些测试,您可以创建 ServiceAccount(测试)、Role 和 RoleBinding。 Role 下面的 yamls:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-view-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-exec-view-role
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get"]
auth can-i 的输出:
$ kubectl auth can-i create pods/exec --as=system:serviceaccount:default:test
no
$ kubectl auth can-i get pods/exec --as=system:serviceaccount:default:test
yes
关于create pods/exec和get pods/exec的区别你可以查看github线程Users can exec into pods with the websocket endpoint even without pods/exec create privileges. Especially in @liggitt comment:
So the verb used with the pods/exec subresource is just supposed to indicate what HTTP method is used with that API endpoint?
这就是所有资源动词的工作方式(获取映射到特殊情况列表和观察中的特定动词)。参见 https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb
So an admin building an RBAC role is expected to look at the code and figure out which HTTP methods are supported for the websocket exec endpoint?
不,子资源和相关动词应包含在 API 文档中。这值得针对 https://github.com/kubernetes/website/issues/ 修复生成器以获取那些子资源
希望它回答了你的问题。如果您还有疑问,请告诉我。