个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
26
4
我正在设置 CI/CD 管道,以自动部署基于 Kubernetes 的应用程序。此部署的一部分涉及创建其他服务帐户及其相关角色。
当我的管道运行时,部署失败并显示以下错误消息:
Error: roles.rbac.authorization.k8s.io "mongodb-kubernetes-operator" is forbidden: user "cicd-bot@my-project.iam.gserviceaccount.com" (groups=["system:authenticated"]) is attempting to grant RBAC permissions not currently held:
│ {APIGroups:[""], Resources:["configmaps"], Verbs:["list" "watch" "create" "update" "patch" "get" "delete"]}
│ {APIGroups:[""], Resources:["pods"], Verbs:["list" "watch" "create" "update" "patch" "get" "delete"]}
│ {APIGroups:[""], Resources:["secrets"], Verbs:["list" "watch" "create" "update" "patch" "get" "delete"]}
│ {APIGroups:[""], Resources:["services"], Verbs:["list" "watch" "create" "update" "patch" "get" "delete"]}
│ {APIGroups:["apps"], Resources:["statefulsets"], Verbs:["list" "watch" "create" "update" "patch" "get" "delete"]}
│ {APIGroups:["mongodbcommunity.mongodb.com"], Resources:["mongodbcommunity"], Verbs:["list" "watch" "update" "patch" "get"]}
│ {APIGroups:["mongodbcommunity.mongodb.com"], Resources:["mongodbcommunity/finalizers"], Verbs:["list" "watch" "update" "patch" "get"]}
│ {APIGroups:["mongodbcommunity.mongodb.com"], Resources:["mongodbcommunity/spec"], Verbs:["list" "watch" "update" "patch" "get"]}
│ {APIGroups:["mongodbcommunity.mongodb.com"], Resources:["mongodbcommunity/status"], Verbs:["list" "watch" "update" "patch" "get"]}
│
│ with module.db_document.kubernetes_role.operator_mongodb,
│ on modules/db_document/main.tf line 17, in resource "kubernetes_role" "operator_mongodb":
│ 17: resource "kubernetes_role" "operator_mongodb" {
│
错误看起来很简单:我的服务帐户无法授予它没有的权限。由于错误消息提到了我的 GCP 服务帐户 cicd-bot@my-project.iam.gserviceaccount.com,我在我的角色定义中添加了我认为是匹配权限的内容。
以下是我的最终角色。它具有 configMaps、pod、secrets、services、statefulsets 和 thirdPartyObjects 的创建、删除、获取、列出和更新权限,我认为这些应该满足要求。
resource "google_project_iam_custom_role" "cicd_bot_role" {
project = var.project
role_id = "cicd_bot"
title = "CICD Bot"
permissions = [
"artifactregistry.repositories.downloadArtifacts",
"artifactregistry.repositories.uploadArtifacts",
"compute.instanceGroupManagers.get",
"container.clusters.get",
"container.configMaps.create",
"container.configMaps.delete",
"container.configMaps.get",
"container.configMaps.list",
"container.configMaps.update",
"container.cronJobs.create",
"container.cronJobs.delete",
"container.cronJobs.get",
"container.cronJobs.update",
"container.customResourceDefinitions.create",
"container.customResourceDefinitions.delete",
"container.customResourceDefinitions.get",
"container.customResourceDefinitions.list",
"container.customResourceDefinitions.update",
"container.deployments.create",
"container.deployments.delete",
"container.deployments.get",
"container.deployments.update",
"container.ingresses.create",
"container.ingresses.delete",
"container.ingresses.get",
"container.ingresses.update",
"container.jobs.create",
"container.jobs.delete",
"container.jobs.get",
"container.jobs.update",
"container.namespaces.get",
"container.persistentVolumeClaims.create",
"container.persistentVolumeClaims.delete",
"container.persistentVolumeClaims.get",
"container.persistentVolumeClaims.update",
"container.pods.create",
"container.pods.delete",
"container.pods.get",
"container.pods.list",
"container.pods.update",
"container.roleBindings.create",
"container.roleBindings.delete",
"container.roleBindings.get",
"container.roleBindings.update",
"container.roles.create",
"container.roles.delete",
"container.roles.get",
"container.roles.update",
"container.secrets.create",
"container.secrets.delete",
"container.secrets.get",
"container.secrets.list",
"container.secrets.update",
"container.serviceAccounts.create",
"container.serviceAccounts.delete",
"container.serviceAccounts.get",
"container.serviceAccounts.update",
"container.services.create",
"container.services.delete",
"container.services.get",
"container.services.list",
"container.services.update",
"container.statefulSets.create",
"container.statefulSets.delete",
"container.statefulSets.get",
"container.statefulSets.list",
"container.statefulSets.update",
"container.thirdPartyObjects.create",
"container.thirdPartyObjects.delete",
"container.thirdPartyObjects.get",
"container.thirdPartyObjects.list",
"container.thirdPartyObjects.update",
"dns.changes.create",
"dns.changes.get",
"dns.resourceRecordSets.get",
"dns.resourceRecordSets.list",
"dns.resourceRecordSets.update",
"storage.buckets.get",
"storage.objects.create",
"storage.objects.delete",
"storage.objects.get",
"storage.objects.list",
]
}
然而,部署后,错误仍然存在。我想知道是否有必要在 kubernetes 端添加等效权限,所以我也创建了以下 ClusterRole 和 ClusterRoleBinding。
resource "kubernetes_cluster_role" "cicd_bot" {
metadata {
name = kubernetes_service_account.cicd_bot.metadata[0].name
}
rule {
api_groups = [""]
resources = ["namespaces"]
verbs = ["create", "delete", "get"]
}
rule {
api_groups = [""]
resources = ["configmaps"]
verbs = ["list", "watch", "create", "update", "patch", "get", "delete"]
}
rule {
api_groups = [""]
resources = ["pods"]
verbs = ["list", "watch", "create", "update", "patch", "get", "delete"]
}
rule {
api_groups = [""]
resources = ["secrets"]
verbs = ["list", "watch", "create", "update", "patch", "get", "delete"]
}
rule {
api_groups = [""]
resources = ["services"]
verbs = ["list", "watch", "create", "update", "patch", "get", "delete"]
}
rule {
api_groups = ["apps"]
resources = ["statefulsets"]
verbs = ["list", "watch", "create", "update", "patch", "get", "delete"]
}
rule {
api_groups = ["mongodbcommunity.mongodb.com"]
resources = ["mongodbcommunity"]
verbs = ["list", "watch", "update", "patch", "get"]
}
rule {
api_groups = ["mongodbcommunity.mongodb.com"]
resources = ["mongodbcommunity/finalizers"]
verbs = ["list", "watch", "update", "patch", "get"]
}
rule {
api_groups = ["mongodbcommunity.mongodb.com"]
resources = ["mongodbcommunity/spec"]
verbs = ["list", "watch", "update", "patch", "get"]
}
rule {
api_groups = ["mongodbcommunity.mongodb.com"]
resources = ["mongodbcommunity/status"]
verbs = ["list", "watch", "update", "patch", "get"]
}
}
resource "kubernetes_cluster_role_binding" "cicd_bot" {
metadata {
name = kubernetes_service_account.cicd_bot.metadata[0].name
}
subject {
kind = "ServiceAccount"
namespace = kubernetes_service_account.cicd_bot.metadata[0].namespace
name = kubernetes_service_account.cicd_bot.metadata[0].name
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.cicd_bot.metadata[0].name
}
}
不幸的是,管道仍然失败并出现同样的错误。过去我已经能够克服类似的错误,但这次不行。我错过了什么?
更新:我能够通过将角色 roles/container.admin 附加到我的服务帐户来成功部署。所以现在我需要弄清楚哪些权限 roles/container.admin 具有我的自定义角色没有的权限。
最佳答案
可悲的是,缺少的一个权限是
container.roles.escalate
即使包括所有其他 container.* 权限也是不够的;仍然需要 container.roles.escalate。
这很不幸,因为它使集群更容易受到权限升级攻击。如果有更安全的方法来实现这一点,我很乐意听到。我不会将自己的答案标记为“正确”,因为我对此不满意。但是,嘿,至少它在工作......
关于kubernetes - GCP GKE : Service account "is attempting to grant RBAC permissions not currently held",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/71992187/
26
4
0
举个例子: us1: GRANT SELECT ON table to us2 WITH GRANT OPTION; us2: GRANT SELECT ON table to us3 WITH GR
这两个命令有什么区别? GRANT ALL ON druid.* TO 'druid'@'localhost' IDENTIFIED BY 'diurd'; GRANT ALL PRIVILEGES
我在我的网站上运行 apache 2.4.6。我一直在我的 apache 错误日志中一遍又一遍地看到这条消息。 [Tue Nov 10 01:42:40.659710 2015] [authz_cor
我只想将权限授予 mysql 中的特定行。表:消息cols:从,到,消息 GRANT ALL ON db.messages TO 'jeffrey'@'localhost' WHERE message
我的问题有两个方面。首先,有人可以解释一下在 Tampermonkey 中使用 @grant none 的优缺点吗?其次,我应该使用哪些 @grant 值来防止网页检测脚本? 最佳答案 @grant
类似于 this question ,我想知道如何生成所有GRANT向一组模式中的所有角色和名称以“PROXY”结尾的角色列表发出的语句。我想重新创建如下语句: GRANT SELECT ON TAB
我在一个相当新的项目中,我们仍在修改我们的 Oracle 11g 数据库表的设计。因此,我们经常删除并重新创建我们的表,以确保我们的表创建脚本在我们进行更改时按预期工作。 我们的数据库由 2 个模式组
我很好奇是否有办法同时授予多个用户权限 示例:我想将某些权利授予以字母 AAR 开头的多个人。 通常授予: GRANT SELECT ON Abteilung TO Herr_Mueller 对于以
我正在写这篇 MS Azure 文章:Connect to and manage Azure Synapse Analytics workspaces in Azure Purview 。但在 Gra
假设有一个现有用户 user1,密码为 pwd1。 现在,如果我运行 GRANT 命令 s.t.- GRANT INSERT, DELETE ON database1.* TO 'user1'@'lo
如果我有一个名为 example 的表。我向 subject1、subject2、subject3 授予 SELECT、INSERT 等权限。那么,作为表的所有者,我如何才能查看我授予示例的每个人及其
grant all privileges on 'bbs' to 'userone'@'localhost' IDENTIFIED BY PASSWORD 'user2012'; 它显示 ERROR
以下确实按预期工作: GRANT ALL ON *.* to 'someuser'@'%' identified by 'somepass'; 我可以使用通配符作为数据库名称吗: GRANT ALL
我在 MySql 中同时使用 GRANT 和变量时遇到了一些麻烦。 SET @username := 'user123', @pass := 'pass123'; GRANT USAGE ON *.*
授权就是为某个用户赋予某些权限。例如,可以为新建的用户赋予查询所有数据库和表的权限。MySQL 提供了 GRANT 语句来为用户设置权限。 在 MySQL 中,拥有 GRANT 权限的用户才可以执行
我们的应用程序的数据结构跨两个模式,我们称它们为 Main 和 Archive。这是必需的,因为主模式中的一些表被归档到存档模式中的相应表中。 Main 架构更新是使用 Liquibase servl
我正在尝试运行包含命令 GRANT ALL ON BIDB.* TO biouser@'localhost' IDENTIFIED by 'bio123!'; 的脚本.但不知何故我收到一条错误消息 b
Android API 23 及更高版本要求在运行时确认“危险”权限。根据其他 StackOverflow 建议,我使用 checkSelfPermissions() 检查所需的权限,如果需要,调用
CREATE USER 'Grant'@'localhost' IDENTIFIED BY 'bestpasswordever'; 如何向名为“Grant”的用户授予权限?它抛出一个错误。 GRANT
我正在为需要能够创建和删除 proc 的用户创建一个组,同时还要向其他用户授予执行权限。 GRANT CREATE PROCEDURE TO [xxx\xxx] GRANT ALTER ON SCHE
我是一名优秀的程序员,十分优秀!