K8s :通过 kubectl 插件 rakkess 查看集群 RBAC授权信息

写在前面


  • 分享一个 查看集群  RBAC 权限的工具
  • 通过 rakkess 可以查看集群命名空间 rbac 的授权
  • 理解不足小伙伴帮忙指正

出其东门,有女如云。虽则如云,匪我思存。缟衣綦巾,聊乐我员。——《郑风·出其东门》


K8s 中集群权限管理中,常常使用 SA+token 、ca证书 的认证方式,使用 RBAC 的鉴权方式,往往通过不同命名空间实施最小权限原则来保证他们的集群安全并在不同的集群租户之间创建隔离。sa 和 ca证书都涉及 赋权,k8s 提供了,角色,集群角色,角色绑定,集群角色绑定等 API 资源来查看集群信息。

安装

如果安装了 krew 并且可以科学上网,可以通过下面的方式安装

kubectl krew install access-matrix

如果没有,可以通过二进制的方式安装

curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.5.0/rakkess-amd64-linux.tar.gz 

解压编译配置为 kubectl 插件。

┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$tar -zxvf rakkess-amd64-linux.tar.gz
LICENSE
rakkess-amd64-linux
┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$mv rakkess-amd64-linux kubectl-rakkess
┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$mv kubectl-rakkess /usr/local/bin/
┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess version
v0.5.0

查看当前命名空间的  rbac 权限。当前版本有一个bug,前面会展示一些空行

┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess --namespace default
NAME                                            LIST  CREATE  UPDATE  DELETE
                                                ✖     ✖       ✖       ✖
............
alertmanagerconfigs.monitoring.coreos.com       ✔     ✔       ✔       ✔
alertmanagers.monitoring.coreos.com             ✔     ✔       ✔       ✔
awxbackups.awx.ansible.com                      ✔     ✔       ✔       ✔
awxrestores.awx.ansible.com                     ✔     ✔       ✔       ✔
awxs.awx.ansible.com                            ✔     ✔       ✔       ✔
bindings                                              ✔
configmaps                                      ✔     ✔       ✔       ✔
controllerrevisions.apps                        ✔     ✔       ✔       ✔
cronjobs.batch                                  ✔     ✔       ✔       ✔
csistoragecapacities.storage.k8s.io             ✔     ✔       ✔       ✔
daemonsets.apps                                 ✔     ✔       ✔       ✔
deployments.apps                                ✔     ✔       ✔       ✔
endpoints                                       ✔     ✔       ✔       ✔
endpointslices.discovery.k8s.io                 ✔     ✔       ✔       ✔
events                                          ✔     ✔       ✔       ✔
events.events.k8s.io                            ✔     ✔       ✔       ✔
horizontalpodautoscalers.autoscaling            ✔     ✔       ✔       ✔
ingresses.networking.k8s.io                     ✔     ✔       ✔       ✔
jobs.batch                                      ✔     ✔       ✔       ✔
leases.coordination.k8s.io                      ✔     ✔       ✔       ✔
limitranges                                     ✔     ✔       ✔       ✔
localsubjectaccessreviews.authorization.k8s.io        ✔
networkpolicies.crd.projectcalico.org           ✔     ✔       ✔       ✔
networkpolicies.networking.k8s.io               ✔     ✔       ✔       ✔
networksets.crd.projectcalico.org               ✔     ✔       ✔       ✔
persistentvolumeclaims                          ✔     ✔       ✔       ✔
poddisruptionbudgets.policy                     ✔     ✔       ✔       ✔
podmonitors.monitoring.coreos.com               ✔     ✔       ✔       ✔
pods                                            ✔     ✔       ✔       ✔
podtemplates                                    ✔     ✔       ✔       ✔
probes.monitoring.coreos.com                    ✔     ✔       ✔       ✔
prometheuses.monitoring.coreos.com              ✔     ✔       ✔       ✔
prometheusrules.monitoring.coreos.com           ✔     ✔       ✔       ✔
replicasets.apps                                ✔     ✔       ✔       ✔
replicationcontrollers                          ✔     ✔       ✔       ✔
resourcequotas                                  ✔     ✔       ✔       ✔
rolebindings.rbac.authorization.k8s.io          ✔     ✔       ✔       ✔
roles.rbac.authorization.k8s.io                 ✔     ✔       ✔       ✔
secrets                                         ✔     ✔       ✔       ✔
serviceaccounts                                 ✔     ✔       ✔       ✔
servicemonitors.monitoring.coreos.com           ✔     ✔       ✔       ✔
services                                        ✔     ✔       ✔       ✔
statefulsets.apps                               ✔     ✔       ✔       ✔
thanosrulers.monitoring.coreos.com              ✔     ✔       ✔       ✔

查看给定 API 资源的 RBAC  权限

┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess resource cm
NAME                                    KIND            SA-NAMESPACE          LIST  CREATE  UPDATE  DELETE
admin-user                              ServiceAccount  kubernetes-dashboard  ✔     ✔       ✔       ✔
generic-garbage-collector               ServiceAccount  kube-system           ✔     ✖       ✔       ✔
horizontal-pod-autoscaler               ServiceAccount  kube-system           ✔     ✖       ✖       ✖
ingress-nginx                           ServiceAccount  ingress-nginx         ✔     ✖       ✖       ✖
kubernetes-dashboard                    ServiceAccount  kubernetes-dashboard  ✔     ✔       ✔       ✔
kuboard-user                            ServiceAccount  kube-system           ✔     ✔       ✔       ✔
kuboard-viewer                          ServiceAccount  kube-system           ✔     ✖       ✖       ✖
liruilong                               User                                  ✔     ✔       ✔       ✔
local-path-provisioner-service-account  ServiceAccount  local-path-storage    ✔     ✖       ✖       ✖
namespace-controller                    ServiceAccount  kube-system           ✔     ✖       ✖       ✔
resourcequota-controller                ServiceAccount  kube-system           ✔     ✖       ✖       ✖
root-ca-cert-publisher                  ServiceAccount  kube-system           ✖     ✔       ✔       ✖
system:kube-controller-manager          User                                  ✔     ✖       ✖       ✖
system:masters                          Group                                 ✔     ✔       ✔       ✔
Only ClusterRoleBindings are considered, because no namespace is given.

查询在的时候可以指定查询的权限

┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess r cm --verbs get,delete,watch,patch
NAME                                    KIND            SA-NAMESPACE          GET  DELETE  WATCH  PATCH
admin-user                              ServiceAccount  kubernetes-dashboard  ✔    ✔       ✔      ✔
calico-node                             ServiceAccount  kube-system           ✔    ✖       ✖      ✖
generic-garbage-collector               ServiceAccount  kube-system           ✔    ✔       ✔      ✔
horizontal-pod-autoscaler               ServiceAccount  kube-system           ✔    ✖       ✖      ✖
ingress-nginx                           ServiceAccount  ingress-nginx         ✖    ✖       ✔      ✖
kubernetes-dashboard                    ServiceAccount  kubernetes-dashboard  ✔    ✔       ✔      ✔
kuboard-user                            ServiceAccount  kube-system           ✔    ✔       ✔      ✔
kuboard-viewer                          ServiceAccount  kube-system           ✔    ✖       ✔      ✖
liruilong                               User                                  ✔    ✔       ✔      ✔
local-path-provisioner-service-account  ServiceAccount  local-path-storage    ✔    ✖       ✔      ✖
namespace-controller                    ServiceAccount  kube-system           ✔    ✔       ✖      ✖
resourcequota-controller                ServiceAccount  kube-system           ✖    ✖       ✔      ✖
system:kube-controller-manager          User                                  ✔    ✖       ✔      ✖
system:masters                          Group                                 ✔    ✔       ✔      ✔
Only ClusterRoleBindings are considered, because no namespace is given.
┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess --as liruilong
┌──[root@vms81.liruilongs.github.io]-[~/ansible/krew]
└─$kubectl rakkess --as kube-system:namespace-controller

博文参考


https://github.com/corneliusweig/rakkess


原文始发于微信公众号(山河已无恙):K8s :通过 kubectl 插件 rakkess 查看集群 RBAC授权信息

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/250112.html

(0)
小半的头像小半

相关推荐

发表回复

登录后才能评论
极客之音——专业性很强的中文编程技术网站,欢迎收藏到浏览器,订阅我们!