CKS 模拟真题 Killer.sh | Preview Question 1

Use context: kubectl config use-context infra-prod

You have admin access to cluster2. There is also context gianna@infra-prod which authenticates as user gianna with the same cluster.

There are existing cluster-level RBAC resources in place to, among other things, ensure that user gianna can never read Secret contents cluster-wide. Confirm this is correct or restrict the existing RBAC resources to ensure this.

I addition, create more RBAC resources to allow user gianna to create Pods and Deployments in Namespaces security, restricted and internal. It's likely the user will receive these exact permissions as well for other Namespaces in the future.


译文

使用上下文: kubectl config use-context infra-prod

你有 cluster2 的管理权限。还有一个context gianna@infra-prod,它以用户gianna的身份认证同一个集群。

现有的集群级RBAC资源已经到位,除其他外,确保用户gianna永远不能读取整个集群的秘密内容。确认这一点是正确的,或者限制现有的RBAC资源以确保这一点。

此外,创建更多的RBAC资源,允许用户gianna在名字空间的 security , restricted ,internal 创建Pod和部署。在未来,该用户很可能也会在其他命名空间获得这些确切的权限。


解答
检查已经存在的RBAC规则
k get clusterrolebinding -oyaml | grep gianna -A10 -B20
k edit clusterrolebinding gianna
k edit clusterrole gianna
k auth can-i list secrets --as gianna

k auth can-i get secrets --as gianna
k config use-context gianna@infra-prod
k -n security get secrets
k -n security get secret kubeadmin-token
k -n security get secrets -oyaml | grep password

file

file

编辑规则

k config use-context infra-prod # 回到 admin 环境

k edit clusterrole gianna
# kubectl edit clusterrole gianna
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2020-09-26T13:57:55Z"
  name: gianna
  resourceVersion: "4496"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/gianna
  uid: b713c1cf-87e5-4313-808e-1a51f392adc0
rules:
- apiGroups:
  - ""
  resources:
#  - secrets       # remove
  - configmaps
  - pods
  - namespaces
  verbs:
  - list
创建其他 RBAC 规则
绑定规则 适用范围 应用范围
Role + RoleBinding 单一命名空间 单一命名空间
ClusterRole + ClusterRoleBinding 全集群 全集群
ClusterRole + RoleBinding 全集群 单独命名空间
Role + ClusterRoleBinding 不可用 全集群

创建一个规则

k create clusterrole gianna-additional --verb=create --resource=pods --resource=deployments
# kubectl create clusterrole gianna-additional --verb=create --resource=pods --resource=deployments
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: gianna-additional
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create

创建3个绑定

k -n security create rolebinding gianna-additional \
--clusterrole=gianna-additional --user=gianna

k -n restricted create rolebinding gianna-additional \
--clusterrole=gianna-additional --user=gianna

k -n internal create rolebinding gianna-additional \
--clusterrole=gianna-additional --user=gianna
# k -n security create rolebinding gianna-additional --clusterrole=gianna-additional --user=gianna
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: gianna-additional
  namespace: security
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gianna-additional
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: gianna

测试

k -n default auth can-i create pods --as gianna
#no

k -n security auth can-i create pods --as gianna
#yes

k -n restricted auth can-i create pods --as gianna
#yes

k -n internal auth can-i create pods --as gianna
#yes