0

我已经为命名空间上的所有服务帐户设置了删除限制(使用验证 webhook),包括命名空间本身,作为集群管理员,我有没有办法从该命名空间中删除对象?

package kubernetes.admission

deny[msg] {
    namespace := input.request.namespace
    operation := input.request.operation
    namespaces := {"test01"}
    operations := {"CREATE","DELETE","UPDATE"}
    namespaces[namespace]
    operations[operation]

    msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,operation])
}

或者,有没有办法将集群管理员置于异常状态。

更新:

我想出了要执行的用户名,但是该策略虽然在策略检查器中正确评估但没有状态:在 configmap 状态中正常:

package kubernetes.admission
deny[msg] {
    namespace := input.request.namespace
    operation := input.request.operation
    username := input.request.userInfo.username
    namespaces := {"test01","kube-system"}
    users := {"kubernetes-admin","admin"}
    operations := {"CREATE","DELETE","UPDATE"}
    namespaces[namespace]
    operations[operation]
    not users[username]
    msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}

更新:

一段时间后,策略状态为 Ok。

4

2 回答 2

2

鉴于用户名正确,此策略有效。

package kubernetes.admission
    deny[msg] {
        namespace := input.request.namespace
        operation := input.request.operation
        username := input.request.userInfo.username
        namespaces := {"test01","kube-system"}
        users := {"kubernetes-admin","admin"}
        operations := {"CREATE","DELETE","UPDATE"}
        namespaces[namespace]
        operations[operation]
        not users[username]
        msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
    }
于 2020-01-03T12:55:42.620 回答
0

您可以直接从etcd服务器中删除该对象。假设您作为集群管理员可以访问 etcd 服务器。

例如:

$ kubectl get po
NAME                      READY   STATUS    RESTARTS   AGE
curler-755cc7cfff-xdt6m   1/1     Running   0          21h
nginx-6db489d4b7-qvmgn    1/1     Running   0          21h

我想删除 podnginx-6db489d4b7-qvmgn

$ kubectl get po -n kube-system | grep etcd
etcd-v1-16-master                          1/1     Running   4          10d
$ kubectl exec -it etcd-v1-16-master -n kube-system sh    
$ ETCDCTL_API=3 etcdctl --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt del /registry/pods/default/nginx-6db489d4b7-qvmgn  
1

现在,如果我再次检查:

$ kubectl get po
NAME                      READY   STATUS    RESTARTS   AGE
curler-755cc7cfff-xdt6m   1/1     Running   0          21h
nginx-6db489d4b7-n8p8d    1/1     Running   0          35s
于 2020-01-03T13:10:17.123 回答