2

在阿里巴巴容器服务中测试基于角色的访问时,它向我抛出一个错误“禁止使用 pod:用户“user1”无法列出命名空间“stage”中的 pod”这是 RBAC 问题,我无法弄清楚我在哪里弄错了

RoleBinding 定义

root@kube-master:# kubectl describe rolebinding stage-role-binding  -n stage
Name:         stage-role-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  staging
Subjects:
  Kind  Name   Namespace
  ----  ----   ---------
  User  user2

角色定义

root@kube-master:# kubectl describe role -n stage
Name:         staging
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources               Non-Resource URLs  Resource Names  Verbs
  ---------               -----------------  --------------  -----
  deployments             []                 []              [get list watch create update patch delete]
  pods                    []                 []              [get list watch create update patch delete]
  replicasets             []                 []              [get list watch create update patch delete]
  deployments.apps        []                 []              [get list watch create update patch delete]
  pods.apps               []                 []              [get list watch create update patch delete]
  replicasets.apps        []                 []              [get list watch create update patch delete]
  deployments.extensions  []                 []              [get list watch create update patch delete]
  pods.extensions         []                 []              [get list watch create update patch delete]
  replicasets.extensions  []                 []              [get list watch create update patch delete]

一个 pod 在 stage 命名空间中运行良好

root@kube-master:# kubectl get pods -n stage 
NAME      READY     STATUS    RESTARTS   AGE
busybox   1/1       Running   0          10m

定义上下文

root@kube-master:# kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
Context "stage" modified.

测试 RBAC

root@kube-master:/home/ansible# kubectl --context=stage get pods
No resources found.
Error from server (Forbidden): pods is forbidden: User "user1" cannot list pods in the namespace "stage"

不知道从哪里用户1

来了并抛出 RBAC 错误

只为user2设置了上下文

root@kube-master:# kubectl config get-contexts
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   
          stage                         kubernetes   user2              stage

这就是我创建用户的方式

openssl genrsa -out user2.key 2048
openssl req -new -key user2.key -out user2.csr -subj "/CN=user1/O=8gwifi.org"
openssl x509 -req -in user2.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out user2.crt -days 500

kubectl config set-credentials user2 --client-certificate=user2.crt --client-key=user2.key
kubectl config set-context stage --cluster=kubernetes --namespace=stage --user=user2
4

1 回答 1

2

RoleBinding 适用于用户user2,而不适用于user1。这就是您收到 RBAC 错误的原因。

为用户user2设置上下文并不意味着 kubernetes 会将这个用户识别为user2。这取决于您使用的凭据。如果使用的凭证是用户user-x,则 kubernetes 会将其视为user-x上下文用户用于 kubectl 查找用户凭证信息。要了解 kubernetes 身份验证,请参见此处

您在那里使用的凭据解析为用户user1。因此,您应该将 RoleBinding 更新为user1

更新问题后

对于证书认证,CN将是用户名(参考:here)。在您的证书"/CN=user1/O=8gwifi.org"中,用户名将是user1而不是user2

于 2019-02-06T11:33:43.907 回答