为什么 system:nodes、system:masters 等没有列在“kubectl get role -A”或“kubectl get clusterroles”下？

2024-6-1 • tag-icon

为什么 system:nodes、system:masters 等没有列在“kubectl get role -A”或“kubectl get clusterroles”下？

当我运行时kubectl edit -n kube-system configmap/aws-auth，我看到了这个：

  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes

文档告诉我运行kubectl get roles -A并kubectl get clusterroles查看我的角色和集群角色。然后kubectl describe role role-name -n kube-system和kubectl describe clusterrole cluster-role-name。

我想将我的 AWS IAM 用户设置为admin或cluster-admin，但使用此配置时它不起作用：

  mapUsers: |
    - userarn: arn:aws:iam::**********:user/nathan
      username: nathan
      groups:
      - cluster-admin

我发现当我使用时我可以让它工作system:masters。但后来我查看了所有角色、集群角色、角色绑定和集群角色绑定，我看不到在中使用的任何“系统”角色configmap/aws-auth：

system:bootstrappers
system:nodes
system:masters

然而，我能看到以下几点：

clusterrolebindings- system:node（单数）
集群角色-system:node-bootstrapper

我真的迷路了！我误解了什么？中的“组”是什么configmap/aws-auth？它与这些角色/集群角色有何关系？如果我想使用cluster-admin，是否需要在其前面添加某些内容，或者在某处添加“绑定”？

system:masters运行正常并允许我在 EKS Web 控制台中进行访问，但我只是想了解它是如何工作的。

以下是我的roles和clusterroles：

$ kubectl get roles -A
NAMESPACE          NAME                                             CREATED AT
europe-v3-system   ingress-nginx                                    2022-04-26T01:21:05Z
kube-public        system:controller:bootstrap-signer               2022-04-26T01:13:11Z
kube-system        cert-manager-cainjector:leaderelection           2022-04-26T01:21:34Z
kube-system        cert-manager:leaderelection                      2022-04-26T01:21:34Z
kube-system        cluster-autoscaler                               2022-04-26T01:18:18Z
kube-system        eks-vpc-resource-controller-role                 2022-04-26T01:13:15Z
kube-system        eks:addon-manager                                2022-04-26T01:13:13Z
kube-system        eks:certificate-controller                       2022-04-26T01:13:12Z
kube-system        eks:fargate-manager                              2022-04-26T01:13:12Z
kube-system        eks:node-manager                                 2022-04-26T01:13:12Z
kube-system        extension-apiserver-authentication-reader        2022-04-26T01:13:10Z
kube-system        system::leader-locking-kube-controller-manager   2022-04-26T01:13:11Z
kube-system        system::leader-locking-kube-scheduler            2022-04-26T01:13:11Z
kube-system        system:controller:bootstrap-signer               2022-04-26T01:13:10Z
kube-system        system:controller:cloud-provider                 2022-04-26T01:13:10Z
kube-system        system:controller:token-cleaner                  2022-04-26T01:13:11Z
kube-system        vpc-resource-controller-leader-election-role     2022-04-26T01:13:14Z

$ kubectl get clusterroles
NAME                                                                   CREATED AT
admin                                                                  2022-04-26T01:13:10Z
atom                                                                   2022-04-26T01:21:03Z
aws-node                                                               2022-04-26T01:13:12Z
cert-manager-cainjector                                                2022-04-26T01:21:34Z
cert-manager-controller-certificates                                   2022-04-26T01:21:34Z
cert-manager-controller-challenges                                     2022-04-26T01:21:34Z
cert-manager-controller-clusterissuers                                 2022-04-26T01:21:34Z
cert-manager-controller-ingress-shim                                   2022-04-26T01:21:34Z
cert-manager-controller-issuers                                        2022-04-26T01:21:34Z
cert-manager-controller-orders                                         2022-04-26T01:21:34Z
cert-manager-edit                                                      2022-04-26T01:21:34Z
cert-manager-view                                                      2022-04-26T01:21:34Z
cert-manager-webhook:webhook-requester                                 2022-04-26T01:21:34Z
cloudwatch-agent-role                                                  2022-06-05T02:20:04Z
cluster-admin                                                          2022-04-26T01:13:10Z
cluster-autoscaler                                                     2022-04-26T01:18:18Z
edit                                                                   2022-04-26T01:13:10Z
eks-console-dashboard-full-access-clusterrole                          2022-04-26T02:03:47Z
eks:addon-manager                                                      2022-04-26T01:13:12Z
eks:fargate-manager                                                    2022-04-26T01:13:12Z
eks:node-bootstrapper                                                  2022-04-26T01:13:13Z
eks:node-manager                                                       2022-04-26T01:13:12Z
eks:podsecuritypolicy:privileged                                       2022-04-26T01:13:13Z
europe-v3-api                                                          2022-04-26T01:21:03Z
europe-v3-fluentd                                                      2022-04-26T01:21:04Z
ingress-nginx                                                          2022-04-26T01:21:04Z
resolver                                                               2022-04-26T01:21:03Z
system:aggregate-to-admin                                              2022-04-26T01:13:10Z
system:aggregate-to-edit                                               2022-04-26T01:13:10Z
system:aggregate-to-view                                               2022-04-26T01:13:10Z
system:aggregated-metrics-reader                                       2022-04-26T01:21:04Z
system:auth-delegator                                                  2022-04-26T01:13:10Z
system:basic-user                                                      2022-04-26T01:13:10Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient       2022-04-26T01:13:10Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient   2022-04-26T01:13:10Z
system:certificates.k8s.io:kube-apiserver-client-approver              2022-04-26T01:13:10Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver      2022-04-26T01:13:10Z
system:certificates.k8s.io:kubelet-serving-approver                    2022-04-26T01:13:10Z
system:certificates.k8s.io:legacy-unknown-approver                     2022-04-26T01:13:10Z
system:controller:attachdetach-controller                              2022-04-26T01:13:10Z
system:controller:certificate-controller                               2022-04-26T01:13:10Z
system:controller:clusterrole-aggregation-controller                   2022-04-26T01:13:10Z
system:controller:cronjob-controller                                   2022-04-26T01:13:10Z
system:controller:daemon-set-controller                                2022-04-26T01:13:10Z
system:controller:deployment-controller                                2022-04-26T01:13:10Z
system:controller:disruption-controller                                2022-04-26T01:13:10Z
system:controller:endpoint-controller                                  2022-04-26T01:13:10Z
system:controller:endpointslice-controller                             2022-04-26T01:13:10Z
system:controller:endpointslicemirroring-controller                    2022-04-26T01:13:10Z
system:controller:expand-controller                                    2022-04-26T01:13:10Z
system:controller:generic-garbage-collector                            2022-04-26T01:13:10Z
system:controller:horizontal-pod-autoscaler                            2022-04-26T01:13:10Z
system:controller:job-controller                                       2022-04-26T01:13:10Z
system:controller:namespace-controller                                 2022-04-26T01:13:10Z
system:controller:node-controller                                      2022-04-26T01:13:10Z
system:controller:persistent-volume-binder                             2022-04-26T01:13:10Z
system:controller:pod-garbage-collector                                2022-04-26T01:13:10Z
system:controller:pv-protection-controller                             2022-04-26T01:13:10Z
system:controller:pvc-protection-controller                            2022-04-26T01:13:10Z
system:controller:replicaset-controller                                2022-04-26T01:13:10Z
system:controller:replication-controller                               2022-04-26T01:13:10Z
system:controller:resourcequota-controller                             2022-04-26T01:13:10Z
system:controller:route-controller                                     2022-04-26T01:13:10Z
system:controller:service-account-controller                           2022-04-26T01:13:10Z
system:controller:service-controller                                   2022-04-26T01:13:10Z
system:controller:statefulset-controller                               2022-04-26T01:13:10Z
system:controller:ttl-controller                                       2022-04-26T01:13:10Z
system:coredns                                                         2022-04-26T01:13:12Z
system:discovery                                                       2022-04-26T01:13:10Z
system:heapster                                                        2022-04-26T01:13:10Z
system:kube-aggregator                                                 2022-04-26T01:13:10Z
system:kube-controller-manager                                         2022-04-26T01:13:10Z
system:kube-dns                                                        2022-04-26T01:13:10Z
system:kube-scheduler                                                  2022-04-26T01:13:10Z
system:kubelet-api-admin                                               2022-04-26T01:13:10Z
system:metrics-server                                                  2022-04-26T01:21:04Z
system:node                                                            2022-04-26T01:13:10Z
system:node-bootstrapper                                               2022-04-26T01:13:10Z
system:node-problem-detector                                           2022-04-26T01:13:10Z
system:node-proxier                                                    2022-04-26T01:13:10Z
system:persistent-volume-provisioner                                   2022-04-26T01:13:10Z
system:public-info-viewer                                              2022-04-26T01:13:10Z
system:volume-scheduler                                                2022-04-26T01:13:10Z
view                                                                   2022-04-26T01:13:10Z
vpc-resource-controller-role                                           2022-04-26T01:13:14Z

谢谢！

答案1

您不会找到kubectl get任何 authn 主体的资源，因为它们不需要预先分配。该system:masters组是一些知名的名字硬编码到源代码中

configmap/aws-auth 中的“组”是什么

如果从 k8s x.509 身份验证的CN=和术语来构建它，则是单数主体名称，是可用于（集群）角色绑定的任意数量的身份验证容器OU=username:groups:

它与这些角色/集群角色有何关系？如果我想使用 cluster-admin，是否需要在其前面添加一些前缀，或者在某处添加“绑定”？

这RoleBinding 和 ClusterRoleBinding仅将呈现的 authn 名称（除了少数硬编码名称外，其他名称都是任意的）与k8s api 中的Role和对象关联起来ClusterRole

我不知道你是否也在问 IAM 用户/角色是如何映射到 k8s 主体的，但如果是这样的话，那是因为aws eks get-token（由的exec:节产生$KUBECONFIG）生成一个 JWT，它对进行编码sub:并由claims:AWS IAM OpenID Connect 提供商签名，然后受到 apiserver 信任就像 Google 或 GitLab 或您最喜欢的 OIDC 提供商一样

阅读aws-iam-authenticator 存储库详细描述了这一设置

答案1

相关内容