Closed7
k8sのRBAC
test namespaceのpodを閲覧可能
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test
namespace: test
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
get/list/watchの違い
ありがとうございます
get nodeを実行可能
nodeはclusterリソース
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
apigroupとリソースの対応
cluster scopeかもわかる
$ kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
bindings v1 true Binding
componentstatuses cs v1 false ComponentStatus
configmaps cm v1 true ConfigMap
endpoints ep v1 true Endpoints
events ev v1 true Event
limitranges limits v1 true LimitRange
namespaces ns v1 false Namespace
-o wideで対応するVerbもわかる
# kubectl api-resources -o wide
NAME SHORTNAMES APIVERSION NAMESPACED KIND VERBS CATEGORIES
bindings v1 true Binding create
componentstatuses cs v1 false ComponentStatus get,list
configmaps cm v1 true ConfigMap create,delete,deletecollection,get,list,patch,update,watch
endpoints ep v1 true Endpoints create,delete,deletecollection,get,list,patch,update,watch
events ev v1 true Event create,delete,deletecollection,get,list,patch,update,watch
権限がたりないメッセージ
それぞれこのようなニュアンスのメッセージが表示されたら必要な権限を見直す
rolebinding
Error: UPGRADE FAILED: could not get information about the resource: configmaps "argocd-cm" is forbidden:
User "system:serviceaccount:test:for-test" cannot get resource "configmaps" in API group "" in the namespace "argocd"
サービスアカウントfor-test
に紐づくroleに、
- namespace:
argocd
- apiグループ:
""
- リソース:
configmaps
をget
する権限が不足している
cluster rolebinding
Error: UPGRADE FAILED: could not get information about the resource: customresourcedefinitions.apiextensions.k8s.io "applications.argoproj.io" is forbidden:
User "system:serviceaccount:test:for-test" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
サービスアカウントfor-test
に紐づくclusterroleに、
- apiグループ:
apiextensions.k8s.io
- リソース:
customresourcedefinitions
をget
する権限が不足している
練習(argocd-helm)
argocdをhelmで召喚するのに必要なrole
# role
rules:
- apiGroups: [""]
resources: ["secrets", "serviceaccounts", "configmaps", "services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# clusterrole
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings", "clusterroles"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
valuesの内容によって変動あり、ラベルで調べるのがよさげかな
kubectl get $(kubectl api-resources -o name --no-headers=true | tr '\n' ',' | sed 's/,$//') --all-namespaces --selector=helm.sh/chart=argo-cd-7.5.2 -o wide
このスクラップは3ヶ月前にクローズされました