CKS 模拟真题 Killer.sh | Preview Question 1

Use context: kubectl config use-context infra-prod

You have admin access to cluster2. There is also context gianna@infra-prod which authenticates as user gianna with the same cluster.

There are existing cluster-level RBAC resources in place to, among other things, ensure that user gianna can never read Secret contents cluster-wide. Confirm this is correct or restrict the existing RBAC resources to ensure this.

I addition, create more RBAC resources to allow user gianna to create Pods and Deployments in Namespaces security , restricted and internal . It’s likely the user will receive these exact permissions as well for other Namespaces in the future.

---

译文

使用上下文: kubectl config use-context infra-prod

你有 cluster2 的管理权限。还有一个context gianna@infra-prod ，它以用户gianna的身份认证同一个集群。

现有的集群级RBAC资源已经到位，除其他外，确保用户gianna永远不能读取整个集群的秘密内容。确认这一点是正确的，或者限制现有的RBAC资源以确保这一点。

此外，创建更多的RBAC资源，允许用户gianna在名字空间的 security , restricted ,internal 创建Pod和部署。在未来，该用户很可能也会在其他命名空间获得这些确切的权限。

---

解答

检查已经存在的RBAC规则

k get clusterrolebinding -oyaml | grep gianna -A10 -B20

k edit clusterrolebinding gianna

k edit clusterrole gianna

k auth can-i list secrets --as gianna

k auth can-i get secrets --as gianna

k config use-context gianna@infra-prod
k -n security get secrets
k -n security get secret kubeadmin-token
k -n security get secrets -oyaml | grep password

编辑规则

k config use-context infra-prod # 回到 admin 环境

k edit clusterrole gianna

# kubectl edit clusterrole gianna
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2020-09-26T13:57:55Z"
  name: gianna
  resourceVersion: "4496"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/gianna
  uid: b713c1cf-87e5-4313-808e-1a51f392adc0
rules:
- apiGroups:
  - ""
  resources:
#  - secrets       # remove
  - configmaps
  - pods
  - namespaces
  verbs:
  - list

创建其他 RBAC 规则

绑定规则	适用范围	应用范围
Role + RoleBinding	单一命名空间	单一命名空间
ClusterRole + ClusterRoleBinding	全集群	全集群
ClusterRole + RoleBinding	全集群	单独命名空间
Role + ClusterRoleBinding	不可用	全集群

创建一个规则

k create clusterrole gianna-additional --verb=create --resource=pods --resource=deployments

# kubectl create clusterrole gianna-additional --verb=create --resource=pods --resource=deployments
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: gianna-additional
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create

创建3个绑定

k -n security create rolebinding gianna-additional \
--clusterrole=gianna-additional --user=gianna

k -n restricted create rolebinding gianna-additional \
--clusterrole=gianna-additional --user=gianna

k -n internal create rolebinding gianna-additional \
--clusterrole=gianna-additional --user=gianna

# k -n security create rolebinding gianna-additional --clusterrole=gianna-additional --user=gianna
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  name: gianna-additional
  namespace: security
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gianna-additional
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: gianna

测试

k -n default auth can-i create pods --as gianna
#no

k -n security auth can-i create pods --as gianna
#yes

k -n restricted auth can-i create pods --as gianna
#yes

k -n internal auth can-i create pods --as gianna
#yes