驗證clusterrole是否能限制只訪問某個namespace下資源

yaml

--- 
apiVersion: v1 
kind: ServiceAccount 
imagePullSecrets:
- name: default
metadata: 
  labels: 
    sub_sys_code: "NTS-TIO-ELK"
    le: "NTS-TIO-ELK-AIO-APP-LOGSTASH"
    k8s-app: fluentd
  name: fluentd
  namespace: shb-sf-nts-tio-trustops-stg-30f097a5
 
--- 
kind: ClusterRole 
apiVersion: rbac.authorization.k8s.io/v1beta1 
metadata: 
  name: fluentd-ClusterRole 
  namespace: shb-sf-nts-tio-trustops-stg-30f097a5
rules: 
  - apiGroups: 
      - "" 
    resources: 
      - "pods" 
    verbs: 
      - "list"
      - "get" 
      - "watch" 
 
--- 
kind: ClusterRoleBinding 
apiVersion: rbac.authorization.k8s.io/v1beta1 
metadata: 
  name: fluentd-ClusterRole 
roleRef: 
  apiGroup: rbac.authorization.k8s.io 
  kind: ClusterRole 
  name: fluentd-ClusterRole 
subjects: 
- kind: ServiceAccount 
  name: fluentd
  namespace: shb-sf-nts-tio-trustops-stg-30f097a5
複製代碼

確認沒有name帶有fluentd的sa,role,rolebing等

$ kubectl get serviceaccount,clusterrole,clusterrolebinding,role,rolebinding -n shb-sf-nts-tio-trustops-stg-30f097a5 | sed -n '1p;/fluentd/Ip'
NAME         SECRETS   AGE




$ date
Fri Apr 19 21:57:56 CST 2019
$
複製代碼

建立sa,clusterrole,clusterrolebinding

$ date
Fri Apr 19 21:57:56 CST 2019
$ clear
You have mail in /var/spool/mail/root
$ ls -lh
total 4.0K
-rw-r--r-- 1 root root 817 Apr 19 21:55 clusterrole.yaml
$ cat clusterrole.yaml
---
apiVersion: v1
kind: ServiceAccount
imagePullSecrets:
- name: default
metadata:
  labels:
    sub_sys_code: "NTS-TIO-ELK"
    le: "NTS-TIO-ELK-AIO-APP-LOGSTASH"
    k8s-app: fluentd
  name: fluentd
  namespace: shb-sf-nts-tio-trustops-stg-30f097a5

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: fluentd-ClusterRole
rules:
  - apiGroups:
      - ""
    resources:
      - "pods"
    verbs:
      - "list"
      - "get"
      - "watch"

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: fluentd-ClusterRole
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: fluentd-ClusterRole
subjects:
- kind: ServiceAccount
  name: fluentd
  namespace: shb-sf-nts-tio-trustops-stg-30f097a5
$ kubectl apply -f clusterrole.yaml --dry-run
serviceaccount "fluentd" created (dry run)
clusterrole "fluentd-ClusterRole" created (dry run)
clusterrolebinding "fluentd-ClusterRole" created (dry run)
$ kubectl apply -f clusterrole.yaml --record
serviceaccount "fluentd" created
clusterrole "fluentd-ClusterRole" created
clusterrolebinding "fluentd-ClusterRole" created
$ kubectl get serviceaccount,clusterrole,clusterrolebinding,role,rolebinding -n shb-sf-nts-tio-trustops-stg-30f097a5 | sed -n '1p;/fluentd/Ip'
NAME         SECRETS   AGE
sa/fluentd   1         19s

clusterroles/fluentd-ClusterRole                                                    19s

clusterrolebindings/fluentd-ClusterRole                                    19s


$ kubectl auth can-i list pods --as system:serviceaccount:shb-sf-nts-tio-trustops-stg-30f097a5:fluentd --namespace kube-system
yes
You have mail in /var/spool/mail/root
$ kubectl auth can-i list pods --as system:serviceaccount:shb-sf-nts-tio-trustops-stg-30f097a5:fluentd --namespace shb-sf-nts-tio-trustops-stg-30f097a5
yes
$ date
Fri Apr 19 22:06:07 CST 2019
$
複製代碼

結論

$ kubectl auth can-i list pods --as system:serviceaccount:shb-sf-nts-tio-trustops-stg-30f097a5:fluentd --namespace kube-system
yes
$ kubectl auth can-i list pods --as system:serviceaccount:shb-sf-nts-tio-trustops-stg-30f097a5:fluentd --namespace shb-sf-nts-tio-trustops-stg-30f097a5
yes
複製代碼

(´▽`ʃ♡ƪ)