K8s:通过 kubectl 插件 rakkess 查看集群 RBAC授权信息
source link: https://liruilongs.github.io/2023/01/18/%E5%BE%85%E5%8F%91%E5%B8%83/%E5%85%B3%E4%BA%8EKubernetes-%E4%B8%AD-%E9%80%9A%E8%BF%87-kubectl-%E6%8F%92%E4%BB%B6-rakkess-%E6%9F%A5%E7%9C%8B%E7%94%A8%E6%88%B7RBAC%E6%8E%88%E6%9D%83/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
K8s:通过 kubectl 插件 rakkess 查看集群 RBAC授权信息
出其东门,有女如云。虽则如云,匪我思存。缟衣綦巾,聊乐我员。——《郑风·出其东门》
- 分享一个 查看
RBAC
权限的工具 - 通过
rakkess
可以查看当前命名空间 rbac 的授权 - 理解不足小伙伴帮忙指正
出其东门,有女如云。虽则如云,匪我思存。缟衣綦巾,聊乐我员。——《郑风·出其东门》
在 K8s
中集群权限管理中,常常使用 SA+token 、ca证书
的认证方式,使用 RBAC
的鉴权方式,往往通过不同命名空间实施最小权限原则来保证他们的集群安全并在不同的集群租户之间创建隔离。 sa 和 ca证书都涉及 赋权,k8s 提供了,角色,集群角色,角色绑定,集群角色绑定等 API 资源来查看集群信息。
如果安装了 krew
并且可以科学上网,可以通过下面的方式安装
kubectl krew install access-matrix
如果没有,可以通过二进制的方式安装
curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.5.0/rakkess-amd64-linux.tar.gz
解压编译配置为 kubectl 插件。
┌──[[email protected]]-[~/ansible/krew]
└─$tar -zxvf rakkess-amd64-linux.tar.gz
LICENSE
rakkess-amd64-linux
┌──[[email protected]]-[~/ansible/krew]
└─$mv rakkess-amd64-linux kubectl-rakkess
┌──[[email protected]]-[~/ansible/krew]
└─$mv kubectl-rakkess /usr/local/bin/
┌──[[email protected]]-[~/ansible/krew]
└─$kubectl rakkess version
v0.5.0
查看当前命名空间的 rbac
权限。
┌──[[email protected]]-[~/ansible/krew]
└─$kubectl rakkess --namespace default
NAME LIST CREATE UPDATE DELETE
✖ ✖ ✖ ✖
............
alertmanagerconfigs.monitoring.coreos.com ✔ ✔ ✔ ✔
alertmanagers.monitoring.coreos.com ✔ ✔ ✔ ✔
awxbackups.awx.ansible.com ✔ ✔ ✔ ✔
awxrestores.awx.ansible.com ✔ ✔ ✔ ✔
awxs.awx.ansible.com ✔ ✔ ✔ ✔
bindings ✔
configmaps ✔ ✔ ✔ ✔
controllerrevisions.apps ✔ ✔ ✔ ✔
cronjobs.batch ✔ ✔ ✔ ✔
csistoragecapacities.storage.k8s.io ✔ ✔ ✔ ✔
daemonsets.apps ✔ ✔ ✔ ✔
deployments.apps ✔ ✔ ✔ ✔
endpoints ✔ ✔ ✔ ✔
endpointslices.discovery.k8s.io ✔ ✔ ✔ ✔
events ✔ ✔ ✔ ✔
events.events.k8s.io ✔ ✔ ✔ ✔
horizontalpodautoscalers.autoscaling ✔ ✔ ✔ ✔
ingresses.networking.k8s.io ✔ ✔ ✔ ✔
jobs.batch ✔ ✔ ✔ ✔
leases.coordination.k8s.io ✔ ✔ ✔ ✔
limitranges ✔ ✔ ✔ ✔
localsubjectaccessreviews.authorization.k8s.io ✔
networkpolicies.crd.projectcalico.org ✔ ✔ ✔ ✔
networkpolicies.networking.k8s.io ✔ ✔ ✔ ✔
networksets.crd.projectcalico.org ✔ ✔ ✔ ✔
persistentvolumeclaims ✔ ✔ ✔ ✔
poddisruptionbudgets.policy ✔ ✔ ✔ ✔
podmonitors.monitoring.coreos.com ✔ ✔ ✔ ✔
pods ✔ ✔ ✔ ✔
podtemplates ✔ ✔ ✔ ✔
probes.monitoring.coreos.com ✔ ✔ ✔ ✔
prometheuses.monitoring.coreos.com ✔ ✔ ✔ ✔
prometheusrules.monitoring.coreos.com ✔ ✔ ✔ ✔
replicasets.apps ✔ ✔ ✔ ✔
replicationcontrollers ✔ ✔ ✔ ✔
resourcequotas ✔ ✔ ✔ ✔
rolebindings.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
roles.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
secrets ✔ ✔ ✔ ✔
serviceaccounts ✔ ✔ ✔ ✔
servicemonitors.monitoring.coreos.com ✔ ✔ ✔ ✔
services ✔ ✔ ✔ ✔
statefulsets.apps ✔ ✔ ✔ ✔
thanosrulers.monitoring.coreos.com ✔ ✔ ✔ ✔
查看给定 API 资源的 RBAC 权限
┌──[[email protected]]-[~/ansible/krew]
└─$kubectl rakkess resource cm
NAME KIND SA-NAMESPACE LIST CREATE UPDATE DELETE
admin-user ServiceAccount kubernetes-dashboard ✔ ✔ ✔ ✔
generic-garbage-collector ServiceAccount kube-system ✔ ✖ ✔ ✔
horizontal-pod-autoscaler ServiceAccount kube-system ✔ ✖ ✖ ✖
ingress-nginx ServiceAccount ingress-nginx ✔ ✖ ✖ ✖
kubernetes-dashboard ServiceAccount kubernetes-dashboard ✔ ✔ ✔ ✔
kuboard-user ServiceAccount kube-system ✔ ✔ ✔ ✔
kuboard-viewer ServiceAccount kube-system ✔ ✖ ✖ ✖
liruilong User ✔ ✔ ✔ ✔
local-path-provisioner-service-account ServiceAccount local-path-storage ✔ ✖ ✖ ✖
namespace-controller ServiceAccount kube-system ✔ ✖ ✖ ✔
resourcequota-controller ServiceAccount kube-system ✔ ✖ ✖ ✖
root-ca-cert-publisher ServiceAccount kube-system ✖ ✔ ✔ ✖
system:kube-controller-manager User ✔ ✖ ✖ ✖
system:masters Group ✔ ✔ ✔ ✔
Only ClusterRoleBindings are considered, because no namespace is given.
查询在的时候可以指定查询的权限
┌──[[email protected]]-[~/ansible/krew]
└─$kubectl rakkess r cm --verbs get,delete,watch,patch
NAME KIND SA-NAMESPACE GET DELETE WATCH PATCH
admin-user ServiceAccount kubernetes-dashboard ✔ ✔ ✔ ✔
calico-node ServiceAccount kube-system ✔ ✖ ✖ ✖
generic-garbage-collector ServiceAccount kube-system ✔ ✔ ✔ ✔
horizontal-pod-autoscaler ServiceAccount kube-system ✔ ✖ ✖ ✖
ingress-nginx ServiceAccount ingress-nginx ✖ ✖ ✔ ✖
kubernetes-dashboard ServiceAccount kubernetes-dashboard ✔ ✔ ✔ ✔
kuboard-user ServiceAccount kube-system ✔ ✔ ✔ ✔
kuboard-viewer ServiceAccount kube-system ✔ ✖ ✔ ✖
liruilong User ✔ ✔ ✔ ✔
local-path-provisioner-service-account ServiceAccount local-path-storage ✔ ✖ ✔ ✖
namespace-controller ServiceAccount kube-system ✔ ✔ ✖ ✖
resourcequota-controller ServiceAccount kube-system ✖ ✖ ✔ ✖
system:kube-controller-manager User ✔ ✖ ✔ ✖
system:masters Group ✔ ✔ ✔ ✔
Only ClusterRoleBindings are considered, because no namespace is given.
┌──[[email protected]]-[~/ansible/krew]
└─$kubectl rakkess --as liruilong
┌──[[email protected]]-[~/ansible/krew]
└─$kubectl rakkess --as kube-system:namespace-controller
Recommend
-
28
README.md rakkess Review Access - kubectl plugin to show an access matrix for all available resources Intro Have you ever wondered what...
-
6
在kubernetes里 pod,service,rs,rc,deploy,resource 等对象都需要使用yaml文件来创建,很多时候我们都是参照照官方示例或者一些第三方示例来编写yaml文件以创建对象.虽然这些示例很有典型性和代表性,能够满足我们大部分时候的需求,然而这往往还是不...
-
5
kubectl 的插件管理工具krew k8s的命令行工具kubectl 对于玩k8s 的人来说是必备工具。ku...
-
5
最近忙的晕头转向,博客停更了 1 个月,感觉对不起党、对不起人民、对不起 CCAV…不过在忙的时候操作 Kubernetes 集群要频繁的使用 kubectl 命令,而在多个 NameSpace 下来回切换每次都得加个 -n 简直让我想打人;索性翻...
-
5
一.系统环境 服务器版本 docker软件版本 CPU架构 CentOS Linux release 7.4.1708 (Core) Docker version 20.10.12 x86_64
-
5
Argocd/Argocd Rolloouts/Argocd-cli/kubectl argo rollouts插件部署 精选 原创 yht_1990
-
5
K8s:kubectl 插件管理器 Krew 离线安装 我所渴求的,無非是將心中脫穎語出的本性付諸生活,為何竟如此艱難呢 ——赫尔曼·黑塞《德米安》 分享一些 kubectl 插件管理器 Krew 的笔记
-
4
K8s:通过 kubectl 插件 Kubepug 实现升级检查(废弃API资源检查) 我所渴求的,無非是將心中脫穎語出的本性付諸生活,為何竟如此艱難呢 ——赫尔曼·黑塞《德米安》 分享一个小工具,可用于 版本升级的 废弃 API 对象检...
-
3
K8s:通过 kubectl 插件 kubectl-tree 查看API对象层级关系 我所渴求的,無非是將心中脫穎語出的本性付諸生活,為何竟如此艱難呢 ——赫尔曼·黑塞《德米安》 分享一个小工具 kubectl-tree,用于查看 k8s...
-
5
关于 Kubernetes 中 通过 kubectl 插件 ketall 查看所有对象资源 出其东门,有女如云。虽则如云,匪我思存。缟衣綦巾,聊乐我员。——《郑风·出其东门》 分享一个查看集群所有资源的小工具
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK