对非管理员的选择性Kubernetes命名空间的限制

huangapple go评论70阅读模式
英文:

Restrictions on selective kubernetes namespaces for non admins

问题

我已经为命名空间上的所有服务账号(使用验证 Webhook)设置了删除限制,包括命名空间本身。作为集群管理员,是否有一种方法可以从该命名空间中删除对象?

或者,是否有一种将集群管理员放入异常列表的方法?

更新:

我已经找出要放入异常列表的用户名,但是这个策略在策略检查器中评估正确,但在 ConfigMap 状态中没有状态为“ok”:

策略包含:

deny[msg] {
    namespace := input.request.namespace
    operation := input.request.operation
    username := input.request.userInfo.username
    namespaces := {"test01","kube-system"}
    users := {"kubernetes-admin","admin"}
    operations := {"CREATE","DELETE","UPDATE"}
    namespaces[namespace]
    operations[operation]
    not users[username]
    msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}

更新:

策略状态在一段时间后变为 "Ok"。

英文:

I have put delete restrictions ( using validation webhook ) for all service accounts on a namespace , including the namespace itself , is there a way, as a cluster admin, I can delete objects from that namsepace?

package kubernetes.admission

deny[msg] {
    namespace := input.request.namespace
    operation := input.request.operation
    namespaces := {"test01"}
    operations := {"CREATE","DELETE","UPDATE"}
    namespaces[namespace]
    operations[operation]
   
    msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,operation])
}

Or , is there a way to put the cluster admin in exception.

Update:

I figured out the usernames to put in execption but this policy although evaluates correctly in policy checker but not having status: ok in configmap status:

package kubernetes.admission
deny[msg] {
    namespace := input.request.namespace
    operation := input.request.operation
    username := input.request.userInfo.username
    namespaces := {"test01","kube-system"}
    users := {"kubernetes-admin","admin"}
    operations := {"CREATE","DELETE","UPDATE"}
    namespaces[namespace]
    operations[operation]
    not users[username]
    msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}

Update:

The policy status is Ok after a while.

答案1

得分: 2

此策略适用,前提是用户名称正确。

package kubernetes.admission
deny[msg] {
    namespace := input.request.namespace
    operation := input.request.operation
    username := input.request.userInfo.username
    namespaces := {"test01","kube-system"}
    users := {"kubernetes-admin","admin"}
    operations := {"CREATE","DELETE","UPDATE"}
    namespaces[namespace]
    operations[operation]
    not users[username]
    msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}
英文:

This policy works , given that the user-names are correct.

package kubernetes.admission
deny[msg] {
    namespace := input.request.namespace
    operation := input.request.operation
    username := input.request.userInfo.username
    namespaces := {"test01","kube-system"}
    users := {"kubernetes-admin","admin"}
    operations := {"CREATE","DELETE","UPDATE"}
    namespaces[namespace]
    operations[operation]
    not users[username]
    msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}

答案2

得分: 0

你可以直接从etcd服务器中删除对象。假设作为集群管理员,您可以访问etcd服务器。

例如:

$ kubectl get po
NAME                      READY   STATUS    RESTARTS   AGE
curler-755cc7cfff-xdt6m   1/1     Running   0          21h
nginx-6db489d4b7-qvmgn    1/1     Running   0          21h

我想删除Pod nginx-6db489d4b7-qvmgn

$ kubectl get po -n kube-system | grep etcd
etcd-v1-16-master                          1/1     Running   4          10d
$ kubectl exec -it etcd-v1-16-master -n kube-system sh
$ ETCDCTL_API=3 etcdctl --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt del /registry/pods/default/nginx-6db489d4b7-qvmgn
1

现在如果再次检查:

$ kubectl get po
NAME                      READY   STATUS    RESTARTS   AGE
curler-755cc7cfff-xdt6m   1/1     Running   0          21h
nginx-6db489d4b7-n8p8d    1/1     Running   0          35s
英文:

You could delete the object directly from the etcd server. Assuming that as cluster admin you have access to the etcd server.

For example:

$ kubectl get po
NAME                      READY   STATUS    RESTARTS   AGE
curler-755cc7cfff-xdt6m   1/1     Running   0          21h
nginx-6db489d4b7-qvmgn    1/1     Running   0          21h

I want to delete pod nginx-6db489d4b7-qvmgn

$ kubectl get po -n kube-system | grep etcd
etcd-v1-16-master                          1/1     Running   4          10d
$ kubectl exec -it etcd-v1-16-master -n kube-system sh    
$ ETCDCTL_API=3 etcdctl --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt del /registry/pods/default/nginx-6db489d4b7-qvmgn  
1

Now if i check it again:

$ kubectl get po
NAME                      READY   STATUS    RESTARTS   AGE
curler-755cc7cfff-xdt6m   1/1     Running   0          21h
nginx-6db489d4b7-n8p8d    1/1     Running   0          35s

huangapple
  • 本文由 发表于 2020年1月3日 20:03:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/59578322.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定