K8s-rbac关于子资源授权的一些记录

来自三线的随记
Admin讨论 | 贡献2023年9月8日 (五) 17:08的版本 (创建页面,内容为“key: 对 <code>resources</code> 的 <code>pods/*</code> 声明不会对诸如 <code>pods/exec pods/log pods/status</code> 等资源授权起效果 原因: https://g…”)
(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)

key: 对 resourcespods/* 声明不会对诸如 pods/exec pods/log pods/status 等资源授权起效果

原因: https://github.com/kubernetes/kubernetes/issues/78936#issuecomment-501455971

services/* does not grant permissions to service status updates.

If you want to give unrestricted access to all resources, you can grant that with *

Unrestricted access to all current and future subresources is misleading to reason about. Different subresources are used for different purposes. Authorizing all subresources of a resource assumes that no new subresource will ever be added that grants access to far more powerful capabilities. Granting access to pods/* would allow what is currently a restricted user access to future subresources, even if those subresources far exceeded the capabilities of the current subresources.

The format */scale can be used to grant access to the subresource named scale on all resources, and is useful for things like autoscaling which needs access to a specific subresource.

另外,目前kubectl (1.18) 无法通过kubectl 快捷获取所有子资源(subresources)

只能通过脚本访问apiserver获取,例如 

_list=($(kubectl get --raw / |grep "^    \"/api"|sed 's/[",]//g')); 
for _api in ${_list[@]}; do
  _aruyo=$(kubectl get --raw ${_api} | jq .resources); 
  if [ "x${_aruyo}" != "xnull" ]; then 
    echo; 
    echo "===${_api}==="; 
    kubectl get --raw ${_api} | jq -r ".resources[].name"; 
  fi; 
done

脚本摘自 https://stackoverflow.com/questions/57872201/how-to-refer-to-all-subresources-in-a-role-definition

取自“https://wiki.sanxian.tech/index.php?title=K8s-rbac关于子资源授权的一些记录&oldid=1470