对非管理员的选择性Kubernetes命名空间的限制

huangapple
go评论93阅读模式
英文:

Restrictions on selective kubernetes namespaces for non admins

问题

我已经为命名空间上的所有服务账号(使用验证 Webhook)设置了删除限制,包括命名空间本身。作为集群管理员,是否有一种方法可以从该命名空间中删除对象?

或者,是否有一种将集群管理员放入异常列表的方法?

更新:

我已经找出要放入异常列表的用户名,但是这个策略在策略检查器中评估正确,但在 ConfigMap 状态中没有状态为“ok”:

策略包含:

  1. deny[msg] {
  2.     namespace := input.request.namespace
  3.     operation := input.request.operation
  4.     username := input.request.userInfo.username
  5.     namespaces := {"test01","kube-system"}
  6.     users := {"kubernetes-admin","admin"}
  7.     operations := {"CREATE","DELETE","UPDATE"}
  8.     namespaces[namespace]
  9.     operations[operation]
  10.     not users[username]
  11.     msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
  12. }

更新:

策略状态在一段时间后变为 "Ok"。

英文:

I have put delete restrictions ( using validation webhook ) for all service accounts on a namespace , including the namespace itself , is there a way, as a cluster admin, I can delete objects from that namsepace?

  1. package kubernetes.admission
  3. deny[msg] {
  4.     namespace := input.request.namespace
  5.     operation := input.request.operation
  6.     namespaces := {"test01"}
  7.     operations := {"CREATE","DELETE","UPDATE"}
  8.     namespaces[namespace]
  9.     operations[operation]
  10.    
  11.     msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,operation])
  12. }

Or , is there a way to put the cluster admin in exception.

Update:

I figured out the usernames to put in execption but this policy although evaluates correctly in policy checker but not having status: ok in configmap status:

  1. package kubernetes.admission
  2. deny[msg] {
  3.     namespace := input.request.namespace
  4.     operation := input.request.operation
  5.     username := input.request.userInfo.username
  6.     namespaces := {"test01","kube-system"}
  7.     users := {"kubernetes-admin","admin"}
  8.     operations := {"CREATE","DELETE","UPDATE"}
  9.     namespaces[namespace]
  10.     operations[operation]
  11.     not users[username]
  12.     msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
  13. }

Update:

The policy status is Ok after a while.

答案1

得分: 2

此策略适用,前提是用户名称正确。

  1. package kubernetes.admission
  2. deny[msg] {
  3.     namespace := input.request.namespace
  4.     operation := input.request.operation
  5.     username := input.request.userInfo.username
  6.     namespaces := {"test01","kube-system"}
  7.     users := {"kubernetes-admin","admin"}
  8.     operations := {"CREATE","DELETE","UPDATE"}
  9.     namespaces[namespace]
  10.     operations[operation]
  11.     not users[username]
  12.     msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
  13. }
英文:

This policy works , given that the user-names are correct.

  1. package kubernetes.admission
  2. deny[msg] {
  3.     namespace := input.request.namespace
  4.     operation := input.request.operation
  5.     username := input.request.userInfo.username
  6.     namespaces := {"test01","kube-system"}
  7.     users := {"kubernetes-admin","admin"}
  8.     operations := {"CREATE","DELETE","UPDATE"}
  9.     namespaces[namespace]
  10.     operations[operation]
  11.     not users[username]
  12.     msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
  13. }

答案2

得分: 0

你可以直接从etcd服务器中删除对象。假设作为集群管理员,您可以访问etcd服务器。

例如:

  1. $ kubectl get po
  2. NAME                      READY   STATUS    RESTARTS   AGE
  3. curler-755cc7cfff-xdt6m   1/1     Running   0          21h
  4. nginx-6db489d4b7-qvmgn    1/1     Running   0          21h

我想删除Pod nginx-6db489d4b7-qvmgn

  1. $ kubectl get po -n kube-system | grep etcd
  2. etcd-v1-16-master                          1/1     Running   4          10d
  3. $ kubectl exec -it etcd-v1-16-master -n kube-system sh
  4. $ ETCDCTL_API=3 etcdctl --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt del /registry/pods/default/nginx-6db489d4b7-qvmgn
  5. 1

现在如果再次检查:

  1. $ kubectl get po
  2. NAME                      READY   STATUS    RESTARTS   AGE
  3. curler-755cc7cfff-xdt6m   1/1     Running   0          21h
  4. nginx-6db489d4b7-n8p8d    1/1     Running   0          35s
英文:

You could delete the object directly from the etcd server. Assuming that as cluster admin you have access to the etcd server.

For example:

  1. $ kubectl get po
  2. NAME                      READY   STATUS    RESTARTS   AGE
  3. curler-755cc7cfff-xdt6m   1/1     Running   0          21h
  4. nginx-6db489d4b7-qvmgn    1/1     Running   0          21h

I want to delete pod nginx-6db489d4b7-qvmgn

  1. $ kubectl get po -n kube-system | grep etcd
  2. etcd-v1-16-master                          1/1     Running   4          10d
  3. $ kubectl exec -it etcd-v1-16-master -n kube-system sh    
  4. $ ETCDCTL_API=3 etcdctl --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt del /registry/pods/default/nginx-6db489d4b7-qvmgn  
  5. 1

Now if i check it again:

  1. $ kubectl get po
  2. NAME                      READY   STATUS    RESTARTS   AGE
  3. curler-755cc7cfff-xdt6m   1/1     Running   0          21h
  4. nginx-6db489d4b7-n8p8d    1/1     Running   0          35s

huangapple
  • 本文由 发表于 2020年1月3日 20:03:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/59578322.html
  • kubernetes
  • open-policy-agent
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定