kubernetes rbac授权层似乎给出了错误的结果。

Question

我想更好地理解库伯奈特的RBAC。在这种意外的情况下，使用kubectl auth can-i进行授权测试与实际结果是不同的。简而言之，新创建的用户不应该能够按照这个测试获得豆荚，但是这个用户实际上可以获得豆荚。

版本：

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-17T18:53:20Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-17T18:43:26Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

用于用户问句的kubectl配置：

$ kubectl config view --minify
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /home/master/ca.pem
    server: https://192.168.1.111:6443
  name: jdoe
contexts:
- context:
    cluster: jdoe
    user: jdoe
  name: jdoe
current-context: jdoe
kind: Config
preferences: {}
users:
- name: jdoe
  user:
    client-certificate: /home/master/jdoe.pem
    client-key: /home/master/jdoe-key.pem

针对授权层的测试说，jdoe无法获得豆荚。

$ kubectl auth can-i get pods --as jdoe
no

然而，jdoe可以获得豆荚：

$ kubectl get pods --all-namespaces
NAMESPACE       NAME                                       READY     STATUS    RESTARTS   AGE
ingress-nginx   nginx-ingress-controller-87554c57b-ttgwp   1/1       Running   0          5h
kube-system     coredns-5f7d467445-ngnvf                   1/1       Running   0          1h
kube-system     coredns-5f7d467445-wwf5s                   1/1       Running   0          5h
kube-system     weave-net-25kq2                            2/2       Running   0          5h
kube-system     weave-net-5njbh                            2/2       Running   0          4h

切换回管理上下文后，从auth层获得了类似的结果：

$ kubectl config use-context kubernetes
Switched to context "kubernetes".
$ kubectl config view --minify
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://192.168.1.111:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: admin
  name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: admin
  user:
    client-certificate: /home/master/admin.pem
    client-key: /home/master/admin-key.pem

从现在起，用户jdoe也不应该得到豆荚。

$ kubectl auth can-i get pods --as jdoe
no

kubectl config view输出

$ kubectl config view 
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /home/master/ca.pem
    server: https://192.168.1.111:6443
  name: jdoe
- cluster:
    certificate-authority-data: REDACTED
    server: https://192.168.1.111:6443
  name: kubernetes
- cluster:
    certificate-authority: /home/master/ca.pem
    server: https://192.168.1.111:6443
  name: master
contexts:
- context:
    cluster: jdoe
    user: jdoe
  name: jdoe
- context:
    cluster: kubernetes
    user: admin
  name: kubernetes
- context:
    cluster: master
    user: master
  name: master
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: admin
  user:
    client-certificate: /home/master/admin.pem
    client-key: /home/master/admin-key.pem
- name: jdoe
  user:
    client-certificate: /home/master/jdoe.pem
    client-key: /home/master/jdoe-key.pem
- name: master
  user:
    client-certificate: /home/master/master.pem
    client-key: /home/master/master-key.pem

Answer 1

没有特定荚名的kubectl get pods实际上做了一个列表。有关动词对应于给定请求的详细信息，请参见https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb。

can-i list pods返回什么？