英文:
Restrictions on selective kubernetes namespaces for non admins
问题
我已经为命名空间上的所有服务账号(使用验证 Webhook)设置了删除限制,包括命名空间本身。作为集群管理员,是否有一种方法可以从该命名空间中删除对象?
或者,是否有一种将集群管理员放入异常列表的方法?
更新:
我已经找出要放入异常列表的用户名,但是这个策略在策略检查器中评估正确,但在 ConfigMap 状态中没有状态为“ok”:
策略包含:
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
username := input.request.userInfo.username
namespaces := {"test01","kube-system"}
users := {"kubernetes-admin","admin"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
not users[username]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}
更新:
策略状态在一段时间后变为 "Ok"。
英文:
I have put delete restrictions ( using validation webhook ) for all service accounts on a namespace , including the namespace itself , is there a way, as a cluster admin, I can delete objects from that namsepace?
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
namespaces := {"test01"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,operation])
}
Or , is there a way to put the cluster admin in exception.
Update:
I figured out the usernames to put in execption but this policy although evaluates correctly in policy checker but not having status: ok in configmap status:
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
username := input.request.userInfo.username
namespaces := {"test01","kube-system"}
users := {"kubernetes-admin","admin"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
not users[username]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}
Update:
The policy status is Ok after a while.
答案1
得分: 2
此策略适用,前提是用户名称正确。
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
username := input.request.userInfo.username
namespaces := {"test01","kube-system"}
users := {"kubernetes-admin","admin"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
not users[username]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}
英文:
This policy works , given that the user-names are correct.
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
username := input.request.userInfo.username
namespaces := {"test01","kube-system"}
users := {"kubernetes-admin","admin"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
not users[username]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}
答案2
得分: 0
你可以直接从etcd
服务器中删除对象。假设作为集群管理员,您可以访问etcd服务器。
例如:
$ kubectl get po
NAME READY STATUS RESTARTS AGE
curler-755cc7cfff-xdt6m 1/1 Running 0 21h
nginx-6db489d4b7-qvmgn 1/1 Running 0 21h
我想删除Pod nginx-6db489d4b7-qvmgn
:
$ kubectl get po -n kube-system | grep etcd
etcd-v1-16-master 1/1 Running 4 10d
$ kubectl exec -it etcd-v1-16-master -n kube-system sh
$ ETCDCTL_API=3 etcdctl --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt del /registry/pods/default/nginx-6db489d4b7-qvmgn
1
现在如果再次检查:
$ kubectl get po
NAME READY STATUS RESTARTS AGE
curler-755cc7cfff-xdt6m 1/1 Running 0 21h
nginx-6db489d4b7-n8p8d 1/1 Running 0 35s
英文:
You could delete the object directly from the etcd
server. Assuming that as cluster admin you have access to the etcd server.
For example:
$ kubectl get po
NAME READY STATUS RESTARTS AGE
curler-755cc7cfff-xdt6m 1/1 Running 0 21h
nginx-6db489d4b7-qvmgn 1/1 Running 0 21h
I want to delete pod nginx-6db489d4b7-qvmgn
$ kubectl get po -n kube-system | grep etcd
etcd-v1-16-master 1/1 Running 4 10d
$ kubectl exec -it etcd-v1-16-master -n kube-system sh
$ ETCDCTL_API=3 etcdctl --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt del /registry/pods/default/nginx-6db489d4b7-qvmgn
1
Now if i check it again:
$ kubectl get po
NAME READY STATUS RESTARTS AGE
curler-755cc7cfff-xdt6m 1/1 Running 0 21h
nginx-6db489d4b7-n8p8d 1/1 Running 0 35s
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论