K8s 中受限用户需要 CRD 的访问权限

Question

在我的场景中，用户只能访问四个命名空间，他将使用下面的上下文在命名空间之间切换。我怎样才能让他访问 CRD 以及他对四个命名空间的现有访问权限。

CURRENT   NAME                      CLUSTER     AUTHINFO                       NAMESPACE
*         dev-crd-ns-user           dev         dev-crd-ns-user                dev-crd-ns
          dev-mon-fe-ns-user        dev         dev-mon-fe-ns-user             dev-mon-fe-ns
          dev-strimzi-operator-ns   dev         dev-strimzi-operator-ns-user   dev-strimzi-operator-ns
          dev-titan-ns-1            dev         dev-titan-ns-1-user            dev-titan-ns-1


hifi@101common:/root$ kubectl get secret
NAME                                     TYPE                                  DATA   AGE
default-token-mh7xq                      kubernetes.io/service-account-token   3      8d
dev-crd-ns-user-token-zd6xt   kubernetes.io/service-account-token   3      8d
exfo@cmme101common:/root$ kubectl get crd
Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:dev-crd-ns:dev-crd-ns-user" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

尝试了以下两个选项。选项 2 是建议，但不适用于任何一个。

Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:dev-crd-ns:dev-crd-ns-user" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the **cluster scope** 

选项 1：将 CRD 添加到现有角色

角色

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
  name: dev-ns-user-full-access
  namespace: dev-crd-ns
rules:
- apiGroups:
  - ""
  - extensions
  - apps
  - networking.k8s.io
  - apiextensions.k8s.io
  resources:
  - '*'
  - customresourcedefinitions
  verbs:
  - '*'
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - '*'

角色绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
  name: dev-crd-ns-user-view
  namespace: dev-crd-ns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-crd-ns-user-full-access
subjects:
- kind: ServiceAccount
  name: dev-crd-ns-user
  namespace: dev-crd-ns

选项 2：将 CRD 作为新角色添加到“dev-crd-ns”命名空间

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev-crd-ns
  name: crd-admin
rules:
- apiGroups: ["apiextensions.k8s.io"] 
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: crd-admin
  namespace: dev-crd-ns
subjects:
- kind: ServiceAccount
  name: dev-crd-ns-user
  namespace: dev-crd-ns
roleRef:
  kind: Role 
  name: crd-admin
  apiGroup: rbac.authorization.k8s.io

Answer 1

您需要为每个服务帐户创建Role 和RoleBinding，例如dev-crd-ns-user。

对于 dev-crd-ns-user：

• 更新现有角色或创建新角色：

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev-crd-ns
  name: crd-admin
rules:
- apiGroups: ["apiextensions.k8s.io"] 
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

$ kubectl apply -f crd-admin-role.yaml

• 用这个新角色更新现有的 RoleBinding 或创建一个新角色：

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: crd-admin
  namespace: dev-crd-ns
subjects:
- kind: ServiceAccount
  name: dev-crd-ns-user
  namespace: dev-crd-ns
roleRef:
  kind: Role 
  name: crd-admin
  apiGroup: rbac.authorization.k8s.io

$ kubectl apply -f crd-admin-role-binding.yaml

现在，SA dev-crd-ns-user 将拥有对 customresourcedefinitions 的所有访问权限。

对其余服务帐户执行类似步骤。