IAM角色与Kubernetes中的RBAC之间的关系

huangapple go评论101阅读模式
英文:

Relationship between IAM roles and RBAC in Kubernetes

问题

与我主要使用的角色和K8s中的RBAC之间有什么关系?

具体来说,当我运行 kubectl describe -n kube-system configmap/aws-auth 命令时,我在这里看到了这个角色:myAmazonEKSNodeRole,如 此处 所描述的。

但是,当我查看AWS IAM控制台中的角色权限时,我期望看到以下内容:

[jenia@archlinux ibn-battuta]$ kubectl get rolebindings -A
NAMESPACE     NAME                                                           ROLE                                                  AGE
kube-public   system:controller:bootstrap-signer                             Role/system:controller:bootstrap-signer               11d
kube-system   eks-vpc-resource-controller-rolebinding                        Role/eks-vpc-resource-controller-role                 11d
kube-system   eks:addon-manager                                              Role/eks:addon-manager                                11d
kube-system   eks:authenticator                                              Role/eks:authenticator                                11d
kube-system   eks:az-poller                                                  Role/eks:az-poller                                    11d
kube-system   eks:certificate-controller                                     Role/eks:certificate-controller                       11d
kube-system   eks:cloud-controller-manager:apiserver-authentication-reader   Role/extension-apiserver-authentication-reader        11d
kube-system   eks:fargate-manager                                            Role/eks:fargate-manager                              11d
kube-system   eks:k8s-metrics                                                Role/eks:k8s-metrics                                  11d
kube-system   eks:node-manager                                               Role/eks:node-manager                                 11d
kube-system   eks:service-operations                                         Role/eks:service-operations-configmaps                11d
kube-system   system::extension-apiserver-authentication-reader              Role/extension-apiserver-authentication-reader        11d
kube-system   system::leader-locking-kube-controller-manager                 Role/system::leader-locking-kube-controller-manager   11d
kube-system   system::leader-locking-kube-scheduler                          Role/system::leader-locking-kube-scheduler            11d
kube-system   system:controller:bootstrap-signer                             Role/system:controller:bootstrap-signer               11d
kube-system   system:controller:cloud-provider                               Role/system:controller:cloud-provider                 11d
kube-system   system:controller:token-cleaner                                Role/system:controller:token-cleaner                  11d

但是在IAM控制台中,我看到的是这个:

                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings"

在IAM控制台中,似乎完全没有与CLI角色 myAmazonEKSNodeRole 在K8s集群中的RBAC权限之间的连接。这令人困惑。我如何控制特定IAM角色在我的K8s集群中具有哪些权限?

英文:

What is the relationship between the role my principal is using and the RBAC in k8s?

Specifically, when I do kubectl describe -n kube-system configmap/aws-auth I see this role: myAmazonEKSNodeRole as described here.

But when I look in the role permission in AWS IAM console, I expect to see this:

[jenia@archlinux ibn-battuta]$ kubectl get rolebindings -A
NAMESPACE     NAME                                                           ROLE                                                  AGE
kube-public   system:controller:bootstrap-signer                             Role/system:controller:bootstrap-signer               11d
kube-system   eks-vpc-resource-controller-rolebinding                        Role/eks-vpc-resource-controller-role                 11d
kube-system   eks:addon-manager                                              Role/eks:addon-manager                                11d
kube-system   eks:authenticator                                              Role/eks:authenticator                                11d
kube-system   eks:az-poller                                                  Role/eks:az-poller                                    11d
kube-system   eks:certificate-controller                                     Role/eks:certificate-controller                       11d
kube-system   eks:cloud-controller-manager:apiserver-authentication-reader   Role/extension-apiserver-authentication-reader        11d
kube-system   eks:fargate-manager                                            Role/eks:fargate-manager                              11d
kube-system   eks:k8s-metrics                                                Role/eks:k8s-metrics                                  11d
kube-system   eks:node-manager                                               Role/eks:node-manager                                 11d
kube-system   eks:service-operations                                         Role/eks:service-operations-configmaps                11d
kube-system   system::extension-apiserver-authentication-reader              Role/extension-apiserver-authentication-reader        11d
kube-system   system::leader-locking-kube-controller-manager                 Role/system::leader-locking-kube-controller-manager   11d
kube-system   system::leader-locking-kube-scheduler                          Role/system::leader-locking-kube-scheduler            11d
kube-system   system:controller:bootstrap-signer                             Role/system:controller:bootstrap-signer               11d
kube-system   system:controller:cloud-provider                               Role/system:controller:cloud-provider                 11d
kube-system   system:controller:token-cleaner                                Role/system:controller:token-cleaner                  11d

But instead in the IAM console I see this:

                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings"

There seems to be no connection whatsoever between the permissions in the IAM console for the CLI role myAmazonEKSNodeRole and the RBAC in k8s. This is puzzling. How do I control which permission a specific IAM role has in my k8s cluster?

答案1

得分: 2

The aws-auth ConfigMap maintains a mapping between IAM principles and Kubernetes RBAC groups. Granting access to EKS clusters is a multi-step process.

  1. 创建一个集群角色或角色,定义 RBAC 权限
  2. 创建一个集群角色绑定或角色绑定,将集群角色或角色与 RBAC 组关联
  3. 向 aws-auth ConfigMap 添加一个条目,将 IAM 原则映射到 RBAC 组,例如 system:masters

虽然可以手动更新 aws-auth ConfigMap,但我建议使用 eksctl 或 aws-iam-authenticator,因为使用这些工具更不容易损坏 aws-auth ConfigMap。

在 AWS 控制台中查看的角色是分配给工作节点的 IAM 角色。它需要这些权限来从 ECR 拉取镜像。

英文:

The aws-auth ConfigMap maintains a mapping between IAM principles and Kubernetes RBAC groups. Granting access to EKS clusters is a multi-step process.

  1. Create a cluster role or a role that defines the RBAC permissions
  2. Create a cluster role binding or role binding that associates the cluster role or role with an RBAC group
  3. Add an entry to the aws-auth ConfigMap that maps an IAM principle to an RBAC group, e.g. system:masters

While its possible to update the aws-auth ConfigMap manually, I recommend using eksctl or the aws-iam-authenticator instead because you're less likely to corrupt your aws-auth ConfigMap with those tools.

The role you're looking at in the AWS console is the IAM role assigned to the worker node. It needs those permissions to fetch images from ECR.

答案2

得分: 0

答案是:当您创建一个Amazon EKS集群时,创建集群的IAM主体会自动在Amazon EKS控制平面的集群基于角色的访问控制(RBAC)配置中被授予system:masters权限。

英文:

The answer is: When you create an Amazon EKS cluster, the IAM principal that creates the cluster is automatically granted system:masters permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane

huangapple
  • 本文由 发表于 2023年8月4日 06:36:23
  • 转载请务必保留本文链接:https://go.coder-hub.com/76831969.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定