使用受限权限创建kubeconfig

Question

我需要创建一个访问受限的kubeconfig，我希望能够提供在特定名称able中更新configmap的权限，如何使用以下权限创建这样的kubeconfig

1. 用于特殊命名空间(myns)
2. 只更新configmap (mycm)

有一个简单的方法来创建它吗？

这里的棘手部分是，我需要一些程序能够访问集群X，并且只修改这个comfigMap，我如何在不提供完整的kubeconfig文件的情况下从外部进程进行修改，这可能会因为安全原因而出现问题。

为了说明清楚，我拥有这个集群，我只想给一些程序限制的权限。

Answer 1

这不是直截了当的。但还是有可能。

如果不存在，则创建名称空间myns。

$ kubectl create ns myns
namespace/myns created

在myns命名空间中创建服务帐户cm-user。它也会创建一个秘密令牌。

$ kubectl create sa cm-user -n myns
serviceaccount/cm-user created

$  kubectl get sa cm-user -n myns
NAME      SECRETS   AGE
cm-user   1         18s

$ kubectl get secrets -n myns
NAME                  TYPE                                  DATA   AGE
cm-user-token-kv5j5   kubernetes.io/service-account-token   3      63s
default-token-m7j9v   kubernetes.io/service-account-token   3      96s

从ca.crt秘密获取令牌和cm-user-token-kv5j5。

$ kubectl get secrets cm-user-token-kv5j5 -n myns -oyaml

Base64从cm-user-token-kv5j5解码令牌的值。

现在使用解码的令牌创建一个用户。

$ kubectl config set-credentials cm-user --token=<decoded token value>
User "cm-user" set.

现在生成kubeconfig文件kubeconfig-cm。

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: <ca.crt value from cm-user-token-kv5j5 secret>
    server: <kubernetes server>
  name: <cluster>
contexts:
- context:
    cluster:<cluster>
    namespace: myns
    user: cm-user
  name: cm-user
current-context: cm-user 
users:
- name: cm-user
  user:
    token: <decoded token>

现在为sa cm用户创建一个角色和角色绑定。

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: myns
  name: cm-user-role
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["update", "get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cm-user-rb
  namespace: myns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cm-user-role
subjects:
- namespace: myns
  kind: ServiceAccount
  name: cm-user

我们说完了。现在，使用这个kubeconfig文件，您可以更新mycm。它没有任何其他特权。

$ kubectl get cm -n myns --kubeconfig kubeconfig-cm
NAME                 DATA   AGE
mycm                 0      8s

$ kubectl delete cm mycm -n myns --kubeconfig kubeconfig-cm
Error from server (Forbidden): configmaps "mycm" is forbidden: User "system:serviceaccount:myns:cm-user" cannot delete resource "configmaps" in API group "" in the namespace "myns"

Answer 2

您需要使用RBAC并定义role，然后使用user或serviceaccount使用rolebinding绑定该角色。

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: configmap-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["configmaps"]
  verbs: ["update", "get", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read config maps in the "default" namespace.
# You need to already have a Role named "configmap-reader" in that namespace.
kind: RoleBinding
metadata:
  name: read-configmap
  namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
  name: jane # "name" is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: configmap-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

https://kubernetes.io/docs/reference/access-authn-authz/rbac/