Kubernetes check serviceaccount permissions

天涯浪子 提交于 2020-07-16 16:14:48

问题


When deploying a service via a Helm Chart, the installation failed because the tiller serviceaccount was not allowed to create a ServiceMonitor resource.

Note:

  • ServiceMonitor is a CRD defined by the Prometheus Operator to automagically get metrics of running containers in Pods.
  • Helm Tiller is installed in a single namespace and the RBAC has been setup using Role and RoleBinding.

I wanted to verify the permissions of the tiller serviceaccount.
kubectl has the auth can-i command, queries like these (see below) always return no.

  • kubectl auth can-i list deployment --as=tiller
  • kubectl auth can-i list deployment --as=staging:tiller

What is the proper way to check permissions for a serviceaccount?
How to enable the tiller account to create a ServiceMonitor resource?


回答1:


After trying lots of things and Googling all over the universe I finally found this blogpost about Securing your cluster with RBAC and PSP where an example is given how to check access for serviceaccounts.

The correct command is:
kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<namespace>:<serviceaccountname> [-n <namespace>]

To check whether the tiller account has the right to create a ServiceMonitor object:
kubectl auth can-i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging

Note: to solve my issue with the tiller account, I had to add rights to the servicemonitors resource in the monitoring.coreos.com apiGroup. After that change, the above command returned yes (finally) and the installation of our Helm Chart succeeded.

Updated tiller-manager role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-manager
  labels:
    org: ipos
    app: tiller
  annotations:
    description: "Role to give Tiller appropriate access in namespace"
    ref: "https://docs.helm.sh/using_helm/#example-deploy-tiller-in-a-namespace-restricted-to-deploying-resources-only-in-that-namespace"
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups:
    - monitoring.coreos.com
  resources:
    - servicemonitors
  verbs:
    - '*'


来源:https://stackoverflow.com/questions/54889458/kubernetes-check-serviceaccount-permissions

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!