K8s:通过 kubectl 插件 rakkess 查看集群 RBAC授权信息

Posted 山河已无恙

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了K8s:通过 kubectl 插件 rakkess 查看集群 RBAC授权信息相关的知识,希望对你有一定的参考价值。

写在前面


  • 分享一个 查看 RBAC 权限的工具
  • 通过 rakkess 可以查看当前命名空间 rbac 的授权
  • 理解不足小伙伴帮忙指正

出其东门,有女如云。虽则如云,匪我思存。缟衣綦巾,聊乐我员。——《郑风·出其东门》


K8s 中集群权限管理中,常常使用 SA+token 、ca证书 的认证方式,使用 RBAC 的鉴权方式,往往通过不同命名空间实施最小权限原则来保证他们的集群安全并在不同的集群租户之间创建隔离。 sa 和 ca证书都涉及 赋权,k8s 提供了,角色,集群角色,角色绑定,集群角色绑定等 API 资源来查看集群信息。

安装

如果安装了 krew 并且可以科学上网,可以通过下面的方式安装

kubectl krew install access-matrix

如果没有,可以通过二进制的方式安装

curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.5.0/rakkess-amd64-linux.tar.gz 

解压编译配置为 kubectl 插件。

┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$tar -zxvf rakkess-amd64-linux.tar.gz
LICENSE
rakkess-amd64-linux
┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$mv rakkess-amd64-linux kubectl-rakkess
┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$mv kubectl-rakkess /usr/local/bin/
┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess version
v0.5.0

查看当前命名空间的 rbac 权限。

┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess --namespace default
NAME                                            LIST  CREATE  UPDATE  DELETE
                                                ✖     ✖       ✖       ✖
............
alertmanagerconfigs.monitoring.coreos.com       ✔     ✔       ✔       ✔
alertmanagers.monitoring.coreos.com             ✔     ✔       ✔       ✔
awxbackups.awx.ansible.com                      ✔     ✔       ✔       ✔
awxrestores.awx.ansible.com                     ✔     ✔       ✔       ✔
awxs.awx.ansible.com                            ✔     ✔       ✔       ✔
bindings                                              ✔
configmaps                                      ✔     ✔       ✔       ✔
controllerrevisions.apps                        ✔     ✔       ✔       ✔
cronjobs.batch                                  ✔     ✔       ✔       ✔
csistoragecapacities.storage.k8s.io             ✔     ✔       ✔       ✔
daemonsets.apps                                 ✔     ✔       ✔       ✔
deployments.apps                                ✔     ✔       ✔       ✔
endpoints                                       ✔     ✔       ✔       ✔
endpointslices.discovery.k8s.io                 ✔     ✔       ✔       ✔
events                                          ✔     ✔       ✔       ✔
events.events.k8s.io                            ✔     ✔       ✔       ✔
horizontalpodautoscalers.autoscaling            ✔     ✔       ✔       ✔
ingresses.networking.k8s.io                     ✔     ✔       ✔       ✔
jobs.batch                                      ✔     ✔       ✔       ✔
leases.coordination.k8s.io                      ✔     ✔       ✔       ✔
limitranges                                     ✔     ✔       ✔       ✔
localsubjectaccessreviews.authorization.k8s.io        ✔
networkpolicies.crd.projectcalico.org           ✔     ✔       ✔       ✔
networkpolicies.networking.k8s.io               ✔     ✔       ✔       ✔
networksets.crd.projectcalico.org               ✔     ✔       ✔       ✔
persistentvolumeclaims                          ✔     ✔       ✔       ✔
poddisruptionbudgets.policy                     ✔     ✔       ✔       ✔
podmonitors.monitoring.coreos.com               ✔     ✔       ✔       ✔
pods                                            ✔     ✔       ✔       ✔
podtemplates                                    ✔     ✔       ✔       ✔
probes.monitoring.coreos.com                    ✔     ✔       ✔       ✔
prometheuses.monitoring.coreos.com              ✔     ✔       ✔       ✔
prometheusrules.monitoring.coreos.com           ✔     ✔       ✔       ✔
replicasets.apps                                ✔     ✔       ✔       ✔
replicationcontrollers                          ✔     ✔       ✔       ✔
resourcequotas                                  ✔     ✔       ✔       ✔
rolebindings.rbac.authorization.k8s.io          ✔     ✔       ✔       ✔
roles.rbac.authorization.k8s.io                 ✔     ✔       ✔       ✔
secrets                                         ✔     ✔       ✔       ✔
serviceaccounts                                 ✔     ✔       ✔       ✔
servicemonitors.monitoring.coreos.com           ✔     ✔       ✔       ✔
services                                        ✔     ✔       ✔       ✔
statefulsets.apps                               ✔     ✔       ✔       ✔
thanosrulers.monitoring.coreos.com              ✔     ✔       ✔       ✔

查看给定 API 资源的 RBAC 权限

┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess resource cm
NAME                                    KIND            SA-NAMESPACE          LIST  CREATE  UPDATE  DELETE
admin-user                              ServiceAccount  kubernetes-dashboard  ✔     ✔       ✔       ✔
generic-garbage-collector               ServiceAccount  kube-system           ✔     ✖       ✔       ✔
horizontal-pod-autoscaler               ServiceAccount  kube-system           ✔     ✖       ✖       ✖
ingress-nginx                           ServiceAccount  ingress-nginx         ✔     ✖       ✖       ✖
kubernetes-dashboard                    ServiceAccount  kubernetes-dashboard  ✔     ✔       ✔       ✔
kuboard-user                            ServiceAccount  kube-system           ✔     ✔       ✔       ✔
kuboard-viewer                          ServiceAccount  kube-system           ✔     ✖       ✖       ✖
liruilong                               User                                  ✔     ✔       ✔       ✔
local-path-provisioner-service-account  ServiceAccount  local-path-storage    ✔     ✖       ✖       ✖
namespace-controller                    ServiceAccount  kube-system           ✔     ✖       ✖       ✔
resourcequota-controller                ServiceAccount  kube-system           ✔     ✖       ✖       ✖
root-ca-cert-publisher                  ServiceAccount  kube-system           ✖     ✔       ✔       ✖
system:kube-controller-manager          User                                  ✔     ✖       ✖       ✖
system:masters                          Group                                 ✔     ✔       ✔       ✔
Only ClusterRoleBindings are considered, because no namespace is given.

查询在的时候可以指定查询的权限

┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess r cm --verbs get,delete,watch,patch
NAME                                    KIND            SA-NAMESPACE          GET  DELETE  WATCH  PATCH
admin-user                              ServiceAccount  kubernetes-dashboard  ✔    ✔       ✔      ✔
calico-node                             ServiceAccount  kube-system           ✔    ✖       ✖      ✖
generic-garbage-collector               ServiceAccount  kube-system           ✔    ✔       ✔      ✔
horizontal-pod-autoscaler               ServiceAccount  kube-system           ✔    ✖       ✖      ✖
ingress-nginx                           ServiceAccount  ingress-nginx         ✖    ✖       ✔      ✖
kubernetes-dashboard                    ServiceAccount  kubernetes-dashboard  ✔    ✔       ✔      ✔
kuboard-user                            ServiceAccount  kube-system           ✔    ✔       ✔      ✔
kuboard-viewer                          ServiceAccount  kube-system           ✔    ✖       ✔      ✖
liruilong                               User                                  ✔    ✔       ✔      ✔
local-path-provisioner-service-account  ServiceAccount  local-path-storage    ✔    ✖       ✔      ✖
namespace-controller                    ServiceAccount  kube-system           ✔    ✔       ✖      ✖
resourcequota-controller                ServiceAccount  kube-system           ✖    ✖       ✔      ✖
system:kube-controller-manager          User                                  ✔    ✖       ✔      ✖
system:masters                          Group                                 ✔    ✔       ✔      ✔
Only ClusterRoleBindings are considered, because no namespace is given.
┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess --as liruilong
┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess --as kube-system:namespace-controller

博文参考


https://github.com/corneliusweig/rakkess

以上是关于K8s:通过 kubectl 插件 rakkess 查看集群 RBAC授权信息的主要内容,如果未能解决你的问题,请参考以下文章

K8s:通过 kubectl 插件 rakkess 查看集群 RBAC授权信息

K8s:通过 kubectl 插件 Kubepug 实现集群升级检查(废弃API资源检查)

K8s:通过 kubectl 插件 Kubepug 实现集群升级检查(废弃API资源检查)

k8s实践(十三):kubectl插件管理工具krew

Docker&K8s---通过kubeadm快速部署K8s

Docker&K8s---通过kubeadm快速部署K8s