查询/测试K8S API请求是否在执行前获得授权

问题描述 投票:0回答:1

Background

考虑一组我想要发布到K8S REST API的HTTP GETPUT请求。我知道当前运行的pod(即假设集群中的单个pod用于一次性测试/调试/等)具有适当的凭证(即与服务帐户相关联)以成功执行这些调用。

我想修改我的请求,以便他们使用不同的服务帐户来执行请求(即修改请求的user字段)。但是,不能保证用户可以完成所有这些请求,有些可能具有破坏性,因此理想情况是两种情况之一发生:

  • 没有请求被执行。
  • 100%的请求被执行。

通过仅使一些请求成功,它可以使系统进入不确定状态。

Question

K8S中是否有API /功能,我可以预先确定是否允许代表特定用户/服务帐户执行特定的API请求?

rest kubernetes
1个回答
3
投票
$ kubectl -v 10 --as system:serviceaccount:default:jenkins auth can-i create pod
...
I0426 20:27:33.008777    4149 request.go:942] Request Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"create","resource":"pods"}},"status":{"allowed":false}}
I0426 20:27:33.008875    4149 round_trippers.go:419] curl -k -v -XPOST  -H "Impersonate-User: system:serviceaccount:default:jenkins" -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.14.0 (darwin/amd64) kubernetes/641856d" 'https://172.22.1.3/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
I0426 20:27:34.935506    4149 round_trippers.go:438] POST https://172.22.1.3/apis/authorization.k8s.io/v1/selfsubjectaccessreviews 201 Created in 1926 milliseconds
I0426 20:27:34.935550    4149 round_trippers.go:444] Response Headers:
I0426 20:27:34.935564    4149 round_trippers.go:447]     Audit-Id: 631abed7-b27b-4eca-b267-4d7db0f1aa21
I0426 20:27:34.935576    4149 round_trippers.go:447]     Content-Type: application/json
I0426 20:27:34.935588    4149 round_trippers.go:447]     Date: Fri, 26 Apr 2019 14:57:34 GMT
I0426 20:27:34.935599    4149 round_trippers.go:447]     Content-Length: 378
I0426 20:27:34.935724    4149 request.go:942] Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"default","verb":"create","resource":"pods"}},"status":{"allowed":true,"reason":"RBAC: allowed by RoleBinding \"jenkins-ns-default/default\" of Role \"jenkins-ns-default\" to User \"system:serviceaccount:default:jenkins\""}}
yes

您可以在此处查看SubjectAccessReview API的详细说明:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#subjectaccessreview-v1-authorization

在这里阅读更多:https://kubernetes.io/docs/reference/access-authn-authz/authorization/

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.