使用 kubectl 测试 RBAC

kubectl 支持 auth can-i 命令，可以用来测试当前用户或指定用户/组是否有权限执行某个操作。这个命令非常有用，可以帮助我们验证 RBAC 权限配置是否正确

基本用法

kubectl auth can-i <动作> <资源> [选项]

测试当前用户

kubectl auth can-i create pods
kubectl auth can-i delete deployments -n default
kubectl auth can-i list secrets --all-namespaces

测试 ServiceAccount

kubectl auth can-i get pods \
  --as=system:serviceaccount:default:app-controller

测试用户/组

kubectl auth can-i create deployments --as=alice
kubectl auth can-i get pods --as-group=developers

列出所有权限

kubectl auth can-i --list
kubectl auth can-i --list --as=system:serviceaccount:default:app-controller

实战示例

场景：验证应用权限配置

配置的 ClusterRole：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: app-controller
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "create", "update"]

测试权限：

SA="system:serviceaccount:default:app-controller"

# 应该有的权限
kubectl auth can-i get pods --as=$SA          # yes
kubectl auth can-i list pods --as=$SA         # yes
kubectl auth can-i create configmaps --as=$SA # yes

# 不应该有的权限
kubectl auth can-i delete pods --as=$SA       # no
kubectl auth can-i get secrets --as=$SA       # no

批量测试脚本

#!/bin/bash

SA="system:serviceaccount:default:app-controller"
tests=(
  "pods:get:yes"
  "pods:delete:no"
  "configmaps:create:yes"
  "secrets:get:no"
)

for test in "${tests[@]}"; do
  IFS=':' read -r resource verb expected <<< "$test"
  result=$(kubectl auth can-i $verb $resource --as=$SA 2>/dev/null)

  if [ "$result" == "$expected" ]; then
    echo "[PASS] $verb $resource"
  else
    echo "[FAIL] $verb $resource (expected: $expected, got: $result)"
  fi
done

其他用法

测试子资源

kubectl auth can-i get pods/log
kubectl auth can-i create pods/exec

测试非资源 URL

kubectl auth can-i get --non-resource-url=/metrics
kubectl auth can-i get --non-resource-url=/healthz

测试特定资源名称

kubectl auth can-i get configmaps --resource-name=app-config

常用场景

# 集群管理员
kubectl auth can-i create namespaces
kubectl auth can-i delete nodes

# 开发人员
kubectl auth can-i create pods -n dev
kubectl auth can-i get pods/log -n dev

# ServiceAccount
kubectl auth can-i create deployments \
  --as=system:serviceaccount:ci:deployer

# 安全审计
kubectl auth can-i list pods --as=system:anonymous