RBAC 的聚合
概念
ClusterRole 聚合允许一个 ClusterRole 通过 label selector 自动合并其他 ClusterRole 的权限。
- 主 ClusterRole: 定义
aggregationRule,rules由 k8s 自动管理 - 子 ClusterRole: 带匹配 label 的角色,权限自动聚合到主角色
示例
主 ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: app-controller
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.example.com/aggregate-to-app: "true"
# rules 留空,由 k8s 自动填充
子 ClusterRole(核心权限)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: app-controller-core
labels:
rbac.example.com/aggregate-to-app: "true"
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch"]
子 ClusterRole(扩展权限)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: app-controller-extra
labels:
rbac.example.com/aggregate-to-app: "true"
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "create", "update"]
聚合结果
主 ClusterRole 自动包含所有子角色的权限:
kubectl get clusterrole app-controller -o yaml
结果:
rules:
# 来自 core
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch"]
# 来自 extra
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "create", "update"]
验证
# 应用配置
kubectl apply -f main-role.yaml
kubectl apply -f core-role.yaml
kubectl apply -f extra-role.yaml
# 检查聚合结果
kubectl get clusterrole app-controller -o jsonpath='{.rules}' | jq '.'
# 验证权限生效
kubectl auth can-i get pods --as=system:serviceaccount:default:app-controller