新用户可以在没有任何rolebinding的情况下查看所有吊舱。

Question

kube-apiserver.service与--authorization-mode=Node,RBAC一起运行

$ kubectl api-versions | grep rbac
rbac.authorization.k8s.io/v1
rbac.authorization.k8s.io/v1beta1

相信这足以支持RBAC。

但是，我创建的任何新用户都可以查看所有资源，而无需任何角色绑定。

创建新用户的步骤：

$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes nonadmin-csr.json | cfssljson -bare nonadmin
$ kubectl config set-cluster nonadmin --certificate-authority ca.pem --server https://127.0.0.1:6443
$ kubectl config set-credentials nonadmin --client-certificate nonadmin.pem --client-key nonadmin-key.pem
$ kubectl config set-context nonadmin --cluster nonadmin --user nonadmin
$ kubectl config use-context nonadmin

用户nonadmin可以在没有任何角色绑定的情况下查看pods，svc。

$ kubectl get svc --all-namespaces
NAMESPACE       NAME                      TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                      AGE                 
default         kubernetes                ClusterIP   10.32.0.1     <none>        443/TCP                      5d4h
ingress-nginx   ingress-nginx             NodePort    10.32.0.129   <none>        80:30989/TCP,443:30686/TCP   5d3h
kube-system     calico-typha              ClusterIP   10.32.0.225   <none>        5473/TCP                     5d3h
kube-system     kube-dns                  ClusterIP   10.32.0.10    <none>        53/UDP,53/TCP                5d3h
rook-ceph       rook-ceph-mgr             ClusterIP   10.32.0.2     <none>        9283/TCP                     4d22h
rook-ceph       rook-ceph-mgr-dashboard   ClusterIP   10.32.0.156   <none>        8443/TCP                     4d22h
rook-ceph       rook-ceph-mon-a           ClusterIP   10.32.0.55    <none>        6790/TCP                     4d22h
rook-ceph       rook-ceph-mon-b           ClusterIP   10.32.0.187   <none>        6790/TCP                     4d22h
rook-ceph       rook-ceph-mon-c           ClusterIP   10.32.0.128   <none>        6790/TCP                     4d22h

版本：

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.2", GitCommit:"cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState:"clean", BuildDate:"2019-01-10T23:35:51Z", GoVersion:"go1.11.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.2", GitCommit:"cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState:"clean", BuildDate:"2019-01-10T23:28:14Z", GoVersion:"go1.11.4", Compiler:"gc", Platform:"linux/amd64"}

这是Ubuntu 18 VM上的非托管kubernetes设置。我哪里出问题了？

Edit1:添加kubectl config view

$ kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /home/dadmin/ca.pem
    server: https://192.168.1.111:6443
  name: gabbar
- cluster:
    certificate-authority: /home/dadmin/ca.pem
    server: https://127.0.0.1:6443
  name: nonadmin
- cluster:
    certificate-authority: /home/dadmin/ca.pem
    server: https://192.168.1.111:6443
  name: kubernetes
contexts:
- context:
    cluster: gabbar
    namespace: testing
    user: gabbar
  name: gabbar
- context:
    cluster: nonadmin
    user: nonadmin
  name: nonadmin
- context:
    cluster: kubernetes
    user: admin
  name: kubernetes
current-context: nonadmin
kind: Config
preferences: {}
users:
- name: admin
  user:
    client-certificate: /home/dadmin/admin.pem
    client-key: /home/dadmin/admin-key.pem
- name: gabbar
  user:
    client-certificate: /home/dadmin/gabbar.pem
    client-key: /home/dadmin/gabbar-key.pem
- name: nonadmin
  user:
    client-certificate: /home/dadmin/nonadmin.pem
    client-key: /home/dadmin/nonadmin-key.pem

编辑2:由@VKR建议的解决方案：

cat > operator-csr.json <<EOF
{
  "CN": "operator",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "IN",
      "L": "BGLR",
      "O": "system:view",  <==== HERE
      "OU": "CKA"
    }
  ]
}
EOF

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  operator-csr.json | cfssljson -bare operator

MasterNode~$ kubectl config set-cluster operator --certificate-authority ca.pem --server $SERVER
Cluster "operator" set.

MasterNode~$ kubectl config set-credentials operator --client-certificate operator.pem --client-key operator-key.pem
User "operator" set.

MasterNode~$ kubectl config set-context operator --cluster operator --user operator
Context "operator" created.

MasterNode~$ kubectl auth can-i get pods --as operator
no

MasterNode~$ kubectl create rolebinding operator --clusterrole view --user operator -n default --save-config
rolebinding.rbac.authorization.k8s.io/operator created

MasterNode~$ cat crb-view.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: view
subjects:
- kind: User
  name: operator
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

MasterNode~$ kubectl create -f crb-view.yml --record --save-config
clusterrolebinding.rbac.authorization.k8s.io/view created

MasterNode~$ kubectl auth can-i get pods --as operator --all-namespaces
yes

MasterNode~$ kubectl auth can-i create pods --as operator --all-namespaces
no

MasterNode~$ kubectl config use-context operator
Switched to context "operator".

MasterNode~$ kubectl auth can-i "*" "*"
no

MasterNode~$ kubectl run db --image mongo
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
Error from server (Forbidden): deployments.apps is forbidden: User "operator" cannot create resource "deployments" in API group "apps" in the namespace "default"

Answer 1

这种行为的根本原因很可能是在生成"O": "system:masters"时使用set nonadmin-csr.json组。

system:masters组限制到集群管理超级用户默认角色，因此，每个新创建的用户都将拥有完全的访问权限。

下面是一个很好的文章，它为您提供了关于如何创建具有有限命名空间访问权限的用户的逐步指导。

快速测试表明，相似的用户，但不同的组有巨大的访问差异。

-subj "/CN=employee/O=testgroup“：

kubectl --context=employee-context get pods --all-namespaces
Error from server (Forbidden): pods is forbidden: User "employee" cannot list resource "pods" in API group "" at the cluster scope

-subj "/CN=newemployee/O=system:masters“：

kubectl --context=newemployee-context get pods --all-namespaces
NAMESPACE       NAME                                        READY   STATUS    RESTARTS   AGE
ingress-nginx   nginx-ingress-controller-797b884cbc-pckj6   1/1     Running   0          85d
ingress-nginx   prometheus-server-8658d8cdbb-92629          1/1     Running   0          36d
kube-system     coredns-86c58d9df4-gwk28                    1/1     Running   0          92d
kube-system     coredns-86c58d9df4-jxl84                    1/1     Running   0          92d
kube-system     etcd-kube-master-1                          1/1     Running   0          92d
kube-system     kube-apiserver-kube-master-1                1/1     Running   0          92d
kube-system     kube-controller-manager-kube-master-1       1/1     Running   4          92d
kube-system     kube-flannel-ds-amd64-k6sgd                 1/1     Running   0          92d
kube-system     kube-flannel-ds-amd64-mtrnc                 1/1     Running   0          92d
kube-system     kube-flannel-ds-amd64-zdzjl                 1/1     Running   1          92d
kube-system     kube-proxy-4pm27                            1/1     Running   1          92d
kube-system     kube-proxy-ghc7w                            1/1     Running   0          92d
kube-system     kube-proxy-wsq4h                            1/1     Running   0          92d
kube-system     kube-scheduler-kube-master-1                1/1     Running   4          92d
kube-system     tiller-deploy-5b7c66d59c-6wx89              1/1     Running   0          36d