Closed7

k8sのRBAC

not75743not75743

test namespaceのpodを閲覧可能

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test
  namespace: test
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
not75743not75743

get nodeを実行可能

nodeはclusterリソース

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]
not75743not75743

apigroupとリソースの対応

cluster scopeかもわかる

$ kubectl api-resources
NAME                              SHORTNAMES         APIVERSION                        NAMESPACED   KIND
bindings                                             v1                                true         Binding
componentstatuses                 cs                 v1                                false        ComponentStatus
configmaps                        cm                 v1                                true         ConfigMap
endpoints                         ep                 v1                                true         Endpoints
events                            ev                 v1                                true         Event
limitranges                       limits             v1                                true         LimitRange
namespaces                        ns                 v1                                false        Namespace

-o wideで対応するVerbもわかる
https://kubernetes.io/docs/reference/using-api/api-concepts/#api-verbs

# kubectl api-resources -o wide
NAME                              SHORTNAMES         APIVERSION                        NAMESPACED   KIND                             VERBS                                                        CATEGORIES
bindings                                             v1                                true         Binding                          create                                                       
componentstatuses                 cs                 v1                                false        ComponentStatus                  get,list                                                     
configmaps                        cm                 v1                                true         ConfigMap                        create,delete,deletecollection,get,list,patch,update,watch   
endpoints                         ep                 v1                                true         Endpoints                        create,delete,deletecollection,get,list,patch,update,watch   
events                            ev                 v1                                true         Event                            create,delete,deletecollection,get,list,patch,update,watch 
not75743not75743

権限がたりないメッセージ

それぞれこのようなニュアンスのメッセージが表示されたら必要な権限を見直す

rolebinding

Error: UPGRADE FAILED: could not get information about the resource: configmaps "argocd-cm" is forbidden:
User "system:serviceaccount:test:for-test" cannot get resource "configmaps" in API group "" in the namespace "argocd"

サービスアカウントfor-testに紐づくroleに、

  • namespace: argocd
  • apiグループ: ""
  • リソース:configmaps

getする権限が不足している

cluster rolebinding

Error: UPGRADE FAILED: could not get information about the resource: customresourcedefinitions.apiextensions.k8s.io "applications.argoproj.io" is forbidden:
User "system:serviceaccount:test:for-test" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

サービスアカウントfor-testに紐づくclusterroleに、

  • apiグループ: apiextensions.k8s.io
  • リソース:customresourcedefinitions

getする権限が不足している

not75743not75743

練習(argocd-helm)

argocdをhelmで召喚するのに必要なrole

# role

rules:
- apiGroups: [""]
  resources: ["secrets", "serviceaccounts", "configmaps", "services"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments", "statefulsets"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

# clusterrole
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterrolebindings", "clusterroles"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

valuesの内容によって変動あり、ラベルで調べるのがよさげかな

kubectl get $(kubectl api-resources -o name --no-headers=true | tr '\n' ',' | sed 's/,$//') --all-namespaces --selector=helm.sh/chart=argo-cd-7.5.2 -o wide
このスクラップは3ヶ月前にクローズされました