rest - K8禁止尝试授予额外特权

Question

无法使用K8s REST API创建ClusterRole。我收到“禁止:尝试授予额外的特权”错误。即使可以使用'kubectl apply'创建相同的ClusterRole。使用同一用户。在GCP中运行。版本:“1.11.6-gke.3”。

这是我的步骤:

1. IAM配置

IAM用户:berlioz-robot@xxx.iam.gserviceaccount.com
角色:Kubernetes引擎管理员

2.使用户成为管理员

使用kubectl申请:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: berlioz:robot-cluster-admin-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: berlioz-robot@xxx.iam.gserviceaccount.com

3.生成登录 token

header :

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "xxxxxxxxxxxxxxxxxxxxxxxxxx"
}

有效负载:

{
  "iss": "berlioz-robot@xxx.iam.gserviceaccount.com",
  "sub": "berlioz-robot@xxx.iam.gserviceaccount.com",
  "aud": "https://www.googleapis.com/oauth2/v4/token",
  "scope": "https://www.googleapis.com/auth/cloud-platform",
  "iat": 1548743213,
  "exp": 1548746813
}

4.登录

URL: https://www.googleapis.com/oauth2/v4/token
Method: POST
Body: {
    'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
    'assertion': here-goes-the-signed-token
}

结果:

{
    "access_token": "ya29.xxxxxxxxxxxxxxxx",
    "expires_in": 3600,
    "token_type": "Bearer"
}

5.使用REST API创建新的ClusterRole

URL: https://CLUSTER-IP-ADDRESS/apis/rbac.authorization.k8s.io/v1/clusterroles
Method: POST
Headers: {
    Authorization: "Bearer ya29.xxxxxxxxxxxxxxxx",
    Content-Type: "application/json"
}
Body: {
    "metadata": {
      "name": "berlioz:controller-cluster-role"
    },
    "rules": [
      {
        "verbs": [
          "get",
          "list",
          "watch"
        ],
        "apiGroups": [
          ""
        ],
        "resources": [
          "nodes"
        ]
      }
    ],
    "kind": "ClusterRole",
    "apiVersion": "rbac.authorization.k8s.io/v1"
}

结果:

{
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "clusterroles.rbac.authorization.k8s.io \"berlioz:controller-cluster-role-test\" is forbidden: attempt to grant extra privileges: [{[get] [] [nodes] [] []} {[list] [] [nodes] [] []} {[watch] [] [nodes] [] []}] user=&{110887992956644566571  [system:authenticated] map[user-assertion.cloud.google.com:[xxxxx]]} ownerrules=[{[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]}] ruleResolutionErrors=[]",
    "reason": "Forbidden",
    "details": {
        "name": "berlioz:controller-cluster-role-test",
        "group": "rbac.authorization.k8s.io",
        "kind": "clusterroles"
    },
    "code": 403
}

有趣的是，如果我将规则列表设置为空，那么一切都会顺利进行。如上所述，成功使用kubectl创建了相同的集群角色。

Answer 1

根据Google cloud RBAC documentation:

In GKE, Cloud IAM and Kubernetes RBAC are integrated to authorize users to perform actions if they have sufficient permissions according to either tool. This is an important part of bootstrapping a GKE cluster, since by default GCP users do not have any Kubernetes RBAC RoleBindings.

Once users or GCP service accounts are authenticated, they must also be authorized to perform any action on a GKE cluster.

In GKE clusters using GKE v1.11.x and older, there is a limitation that Cloud IAM cannot grant the ability to create a Kubernetes RBAC Role or ClusterRole. However, the Kubernetes Engine Admin Cloud IAM role does grant users with the ability to create a Kubernetes RBAC RoleBinding or ClusterRoleBinding for any user, including themselves, which can be used to bind GCP users to predefined RBAC Roles.

In particular, the cluster-admin predefined RBAC role grants users full permissions in the cluster. Therefore, to bootstrap a user to allow them to create RBAC Roles and ClusterRoles, issue the following command, replacing [USER_ACCOUNT] with the target user's GCP login email address.

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user [USER_ACCOUNT]

Note: The [USER_ACCOUNT] is case sensitive. To avoid errors, enter the target user's email address in lowercase.

另外，您可以使用以下yaml:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: username@google-account-domain.com

创建此类ClusterRoleBinding之后，您将能够创建ClusterRole。