K8s-rbac关于子资源授权的一些记录:修订间差异
(创建页面,内容为“key: 对 <code>resources</code> 的 <code>pods/*</code> 声明不会对诸如 <code>pods/exec pods/log pods/status</code> 等资源授权起效果 原因: https://g…”) |
小无编辑摘要 |
||
第1行: | 第1行: | ||
在RBAC定义中(例如role / clusterrole)对 <code>resources</code> 的 <code>pods/*</code> 声明不会对诸如 <code>pods/exec pods/log pods/status</code> 等资源授权起效果 | |||
原因: https://github.com/kubernetes/kubernetes/issues/78936#issuecomment-501455971<blockquote><code>services/*</code> does not grant permissions to service status updates. | 原因: https://github.com/kubernetes/kubernetes/issues/78936#issuecomment-501455971<blockquote><code>services/*</code> does not grant permissions to service status updates. |
2023年11月21日 (二) 19:42的最新版本
在RBAC定义中(例如role / clusterrole)对 resources
的 pods/*
声明不会对诸如 pods/exec pods/log pods/status
等资源授权起效果
原因: https://github.com/kubernetes/kubernetes/issues/78936#issuecomment-501455971
services/*
does not grant permissions to service status updates.If you want to give unrestricted access to all resources, you can grant that with
*
Unrestricted access to all current and future subresources is misleading to reason about. Different subresources are used for different purposes. Authorizing all subresources of a resource assumes that no new subresource will ever be added that grants access to far more powerful capabilities. Granting access to
pods/*
would allow what is currently a restricted user access to future subresources, even if those subresources far exceeded the capabilities of the current subresources.The format
*/scale
can be used to grant access to the subresource namedscale
on all resources, and is useful for things like autoscaling which needs access to a specific subresource.
另外,目前kubectl (1.18) 无法通过kubectl 快捷获取所有子资源(subresources)
只能通过脚本访问apiserver获取,例如
_list=($(kubectl get --raw / |grep "^ \"/api"|sed 's/[",]//g')); for _api in ${_list[@]}; do _aruyo=$(kubectl get --raw ${_api} | jq .resources); if [ "x${_aruyo}" != "xnull" ]; then echo; echo "===${_api}==="; kubectl get --raw ${_api} | jq -r ".resources[].name"; fi; done
脚本摘自 https://stackoverflow.com/questions/57872201/how-to-refer-to-all-subresources-in-a-role-definition