kubernetes - 禁止在 apiGroups 中添加角色.rbac.authorization.k8s.io

Question

我正在运行 kubernetes v1.11.5，并且正在为每个命名空间安装带有分蘖部署的 helm。
让我们专注于单个命名空间。这是分蘖服务帐户配置:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: marketplace-int
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-manager
  namespace: marketplace-int
rules:
- apiGroups:
  - ""
  - extensions
  - apps
  - rbac.authorization.k8s.io
  - roles.rbac.authorization.k8s.io
  - authorization.k8s.io
  resources: ["*"]
  verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-binding
  namespace: marketplace-int
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: marketplace-int
roleRef:
  kind: Role
  name: tiller-manager
  apiGroup: rbac.authorization.k8s.io

当我尝试部署图表时，出现此错误:

Error: release citest failed: roles.rbac.authorization.k8s.io "marketplace-int-role-ns-admin" is forbidden: 
attempt to grant extra privileges: 
[{[*] [*] [*] [] []}] user=&{system:serviceaccount:marketplace-int:tiller 5c6af739-1023-11e9-a245-0ab514dfdff4 
[system:serviceaccounts system:serviceaccounts:marketplace-int system:authenticated] map[]} 
ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} 
{[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]} 
{[*] [ extensions apps rbac.authorization.k8s.io roles.rbac.authorization.k8s.io authorization.k8s.io] [*] [] []}] ruleResolutionErrors=[]

尝试为该命名空间创建 rbac 配置时出现错误(使用分蘖 sa):

# Source: marketplace/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app: citest
    chart: marketplace-0.1.0
    heritage: Tiller
    release: citest
    namespace: marketplace-int
  name: marketplace-int-role-ns-admin
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

错误信息清楚地表明，tiller 服务帐户没有权限 roles.rbac.authorization.k8s.io但如前所述，该许可是授予的。

$kubectl describe role tiller-manager
Name:         tiller-manager
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"tiller-manager","namespace":"marketplace-i...
PolicyRule:
  Resources                          Non-Resource URLs  Resource Names  Verbs
  ---------                          -----------------  --------------  -----
  *                                  []                 []              [*]
  *.apps                             []                 []              [*]
  *.authorization.k8s.io             []                 []              [*]
  *.extensions                       []                 []              [*]
  *.rbac.authorization.k8s.io        []                 []              [*]
  *.roles.rbac.authorization.k8s.io  []                 []              [*]

老实说，我不完全理解检查 ownerrules 的错误消息。很好，我正在尝试找出似乎与角色描述相关的这种消息是什么意思: {[*] [*] [*] [] []}
关于我缺少哪些权限的任何线索？

Answer 1

这是由于 RBAC 中的权限升级预防。见 https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping详情。

创建角色对象的权限是必要的，但还不够。

如果以下至少一项为真，则用户只能创建/更新角色:

他们已经拥有角色中包含的所有权限，与被修改的对象处于相同的范围内(对于 ClusterRole，在集群范围内，在同一命名空间内，对于角色来说，在集群范围内)。在您的情况下，这意味着尝试创建角色的用户必须已经拥有 apiGroups=*, resources=*, verbs=*尝试创建角色的命名空间内的权限。您可以通过将 cluster-admin clusterrole 授予具有角色绑定(bind)的命名空间内的服务帐户来授予此权限。

他们被授予对 rbac.authorization.k8s.io API 组(Kubernetes 1.12 和更新版本)中的角色或 clusterroles 资源执行“升级”动词的明确权限