简介
很多时候我们在k8s上安装服务会遇到各种各样的权限问题,有时候为某个用户或者serviceaccount对象生成一个合适的role会比较头疼,这里推荐一个工具audit2rbac,它可以根据k8s的审计日志,为指定用户或者serviceaccount对象生成它们所需要的role.
audit2rbac下载地址: https://github.com/liggitt/audit2rbac/releases
前提要求
1、集群已经开启审计日志,且日志格式为json格式,开启审计日志可以参考https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#advanced-audit
2、建议日志级别设置为Metadata
,还可以减少日志大小
使用
我们这里已经开启了审计日志,这里截取一小段日志内容如下:
1 | {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"571b8d06-aa30-4aec-87cb-7bef2ef88d18","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/longhorn-system/leases/external-resizer-driver-longhorn-io","verb":"update","user":{"username":"system:serviceaccount:longhorn-system:longhorn-service-account","uid":"cdb0a05f-170d-4f02-aeec-88af904e68f7","groups":["system:serviceaccounts","system:serviceaccounts:longhorn-system","system:authenticated"]},"sourceIPs":["172.20.166.16"],"userAgent":"csi-resizer/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"leases","namespace":"longhorn-system","name":"external-resizer-driver-longhorn-io","uid":"81766194-e2e3-4edd-83d7-788a07562b91","apiGroup":"coordination.k8s.io","apiVersion":"v1","resourceVersion":"18772044"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-01-06T03:02:52.709670Z","stageTimestamp":"2021-01-06T03:02:52.710917Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"longhorn-bind\" of ClusterRole \"longhorn-role\" to ServiceAccount \"longhorn-service-account/longhorn-system\""}} |
接下来我们使用audit2rbac为serviceaccount:longhorn-system:longhorn-service-account
生成rbac role
1 | [root@master-01 audit2rbac]# ./audit2rbac -f /var/log/kube-audit/audit-log.json --serviceaccount longhorn-system:longhorn-service-account > longhorn-service-account-role.yaml |
查看一下生成的role
1 | apiVersion: rbac.authorization.k8s.io/v1 |