K8s-rbac关于子资源授权的一些记录

来自三线的随记
Admin讨论 | 贡献2023年11月21日 (二) 19:42的版本
(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)

在RBAC定义中(例如role / clusterrole)对 resourcespods/* 声明不会对诸如 pods/exec pods/log pods/status 等资源授权起效果

原因: https://github.com/kubernetes/kubernetes/issues/78936#issuecomment-501455971

services/* does not grant permissions to service status updates.

If you want to give unrestricted access to all resources, you can grant that with *

Unrestricted access to all current and future subresources is misleading to reason about. Different subresources are used for different purposes. Authorizing all subresources of a resource assumes that no new subresource will ever be added that grants access to far more powerful capabilities. Granting access to pods/* would allow what is currently a restricted user access to future subresources, even if those subresources far exceeded the capabilities of the current subresources.

The format */scale can be used to grant access to the subresource named scale on all resources, and is useful for things like autoscaling which needs access to a specific subresource.

另外,目前kubectl (1.18) 无法通过kubectl 快捷获取所有子资源(subresources)

只能通过脚本访问apiserver获取,例如

_list=($(kubectl get --raw / |grep "^    \"/api"|sed 's/[",]//g')); 
for _api in ${_list[@]}; do
  _aruyo=$(kubectl get --raw ${_api} | jq .resources); 
  if [ "x${_aruyo}" != "xnull" ]; then 
    echo; 
    echo "===${_api}==="; 
    kubectl get --raw ${_api} | jq -r ".resources[].name"; 
  fi; 
done

脚本摘自 https://stackoverflow.com/questions/57872201/how-to-refer-to-all-subresources-in-a-role-definition