我们是实际工作中,可能并不希望所有的人都具有对Kubernetes集群的超级管理员权限,因为每个人的知识储备并不相同,而且每个人负责的业务线可能也各不相同;那我们在实际生产环境中时如何来控制k8s权限的呢?
我们是通过jumpServer + K8s RBAC来进行权限控制的;大致流程如下,今天我们主要来讲解一下如何生成对应权限的Kubeconfig文件
1,K8s系统需要启用RBAC访问控制;在API-Server服务启动的时候确保-authorization-mode
参数内有RBAC参数
kube-apiserver --authorization-mode=Example,RBAC --<其他选项> --<其他选项>
2,其次你要懂得K8s 的RBAC是如何进行授权的;在这个地方我们就不过多的介绍;给出官方文档地址自行学习
3,你能使用具有admin权限的用户操作以下操作
4,掌握K8s内的用户认证,自行学习
我们下面创建一个对defaults ns只读的用户
创建一个ServiceAccount 用户
$ cat service_account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: zsf-test-user
namespace: default
$ kubectl apply -f service_account.yaml
serviceaccount/zsf-test-user created
获取对应Service Account 的Token 文件
$ kubectl describe serviceaccounts zsf-test-user | awk '$0~/Tokens/{print $NF}'
zsf-test-user-token-zklc5
根据Token 名称获取对应的Secret 值
$ kubectl describe secret zsf-test-user-token-zklc5
Name: zsf-test-user-token-zklc5
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: zsf-test-user
kubernetes.io/service-account.uid: f64bbeac-7b75-4060-9bc6-1854d867a604
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IktPZ00xTzZxY0dTUEo2STlJdkNGRDNVQXRUMVR3SHl6M2oyUERUTTVsWEkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InpzZi10ZXN0LXVzZXItdG9rZW4temtsYzUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoienNmLXRlc3QtdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImY2NGJiZWFjLTdiNzUtNDA2MC05YmM2LTE4NTRkODY3YTYwNCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnpzZi10ZXN0LXVzZXIifQ.rIZkF9Y711mzPd0gVm9ZH4WOUohBXrK2XMDBSB-qNbOD4HFw_xuU3VKTtqjPiGGopc7O3rXyQA6CqAJsDD6DjR4d8e4acZwuhH49rr6_iUAy28QeNkt6gnVWC81KNRg5BxfiEgE0kPOCT1YaeXBzGJsMdnjOVBrsQvVkrf8F61VQEowl-1_fHVF-e3l71qwk7pwn3_1QM7GHgTp7jxf9SdZShhLf4sOh6vrAG8AA8bQ85HWxHzD2Dr-lyrwCN_sS1RfsJCPIeY6V3k-uYnd4q3gFeF89S5UdjYmpo29EW7L7eX0z9QJDszfYoRZ1SVJZ856vkOlapbjK5wDkLNWOBA
获取集群信息,并保存到文件内
$ kubectl config view --flatten --minify > cluster-info.yaml
$ cat cluster-info.yaml
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1Ea3lNVEE0TXpneU1sb1hEVE15TURreE9EQTRNemd5TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXI3Ck84MHhLNWN4ckdnSktoSURIRnQvcUNnbEhWeTBEQWRHR2dKSmlGNEQzUUxRcG1IVHRNUUJ2Y29QMGdwTjNSUHEKbWt5NlhGMHc2Um9FOEQ2T1FUSi83bENnNGFqTGdOSmlIcEhmdkgvUkRFNzhzUkl6d0lRWEEydjNTVWh2KzdDSwp3YlBVOHhIMklMcGFUM3RWanU3QVlRV0x5aTczbWVWZXkzbUR2OWJMSW1PVzYwOWtsSzB0VTZNREJObWs1SzE1Ck00ajlvVFVBR3ZJei9RSXdSRDB5OXJtVE0xZjlTYmoxUFh0SUllSjNuZU1hZUxzZHRMcUdsM1l2aGlJRUFpZmIKTzc4cXdHalNsbk85SjNGUWtkcWEyVUZUeEFmdzNKeDB3SVlSTkE2cm9LTnlzOVJFYlYyY2ZONTQ0dFNRZjVHRQpUNGVMbXhXUzVNSnRXcy90R2xFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZIRVJyakQzdUd6aEUxc3p2Mk9JOW5kc0JvYUxNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCcnVKMytHQklObS9jOE5JQkgrRWxTMnNwMTYwUHZOY3k2eHRLS2NObEk0NE5jbnIvNApLYkg4cTY2NmE4cThaWWE0U2RJWDEzQ1lIa2haN2lydUh2NGJrb0w5QjFqanZzMmFFUlVCUFJxczdoQ0hjU0NhCk5SS3pXSjBmbGVuYnlmSER4ZldrSmtZUXJXNkN2Q3ozaERQN3creFdWa3Vjd1pFVUxsMS91dFo0cTBpYzREZUoKSlZid1JHQUQyRVVnM2laTjcwVmhmeDRCTFhrb1lqSkRYSlRDT1k5SjByakRaQ3E3SVVhVnRra2lzQy9HK1l3TApZWFQxSlBWWVBweE1ZSEYrRGJNYloxQW9XNTYxUDB1VjIrQi9ISWRYbEFvaDM4UnZlY3d4eEVmOStOMVV0Z0hNCkFQME5SVWRIaTZOQjJvSTRITHYrSmpudXkyTEJ6V1JEZzMzNgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.4.58:6443
name: qa-test
contexts:
- context:
cluster: qa-test
user: kubernetes-admin
name: kubernetes-admin@qa-test
current-context: kubernetes-admin@qa-test
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lVSlZ6UVlaeklOZWZrdjI5ZnNMVjJCMm94bUNnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU1qQTVNakV3T1RBek16SmFGdzB6TWpBNQpNVGd3T1RBek16SmFNRFF4RnpBVkJnTlZCQW9NRG5ONWMzUmxiVHB0WVhOMFpYSnpNUmt3RndZRFZRUUREQkJyCmRXSmxjbTVsZEdWekxXRmtiV2x1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEKbFZiVFNFdk9LKytJRVJkaytoREdYMmtRQ0tjeE1jU05Wck9Sc0lLbGZVcGVLUTQ2M3JWaTVQTUg0VTZWWDk1bQpuejJmRVFVbkZZbjhHRUUxUzRPZFVnWGg0SU5BbVZDMTdMT3d6RnNGVVZPSFJiSUx0bXVMNWl4c2pOUXdCT0MzCkh5WFArMXMvYTRkSDlSa2I5Y0JyYys5Wm1zYTBnbWxoTlU5cG54QmIweExsbmdDRk1JT3ZSc0hsRms2cTc4VFUKWGZlOFpJV1QrT21DTzB2S0NYS01nR3JOY1VPQnBSeDFLOTdxSWpkZ3RkMmY4bTF4eU1RRWJJNzliVnJ1Q3JCVApscVVxQ0hNdXhzZjBwYXlUNmdHQjdRQkNZUDJkR2Rvb21KWkl0R09YOUFNZ2U2S0s5bFNoMS9hVTgwVmZRaThPCmlYUUJqV0Y0NVNCakpqZS9PVXFPeXdJREFRQUJveWN3SlRBT0JnTlZIUThCQWY4RUJBTUNCYUF3RXdZRFZSMGwKQkF3d0NnWUlLd1lCQlFVSEF3SXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQktWWFMxa0EvZExVYVMwTGVDSQpZVW1sVzRkcDYvejdIbDA0QlZ3cmp4RlRYeEJaRklNTXByeE81QkcvY2UveC9kTkkwWndQN0Q5U1NwWEVXbGZ0CnJtS01EOXlzN3hJdTlteUlXZ0FRSGIwNGp3QlpZNFJCMWpiaU1iOWhxcExhQUc1ZWw5bUZCYzliVTZvTFNMZm4KOVRPVnV1blBCTUJSL2VlaUZNYmRHdGRrWDZDNmlEejlldm5pZEE2QTVPcFZMUE1zSkxVdTNSZ3NtQ1ZXbWI5VAphbHB3b1pzMWZjTmllSndZb1Bmd2tOTTV5ZjR3WTg2Z3NHOFZUY0c3V2xxL3NmTC9XZjQ5YkJqK1p0UDZ0M3lvCmlmSGdDRGM5aDRNRTVxc1hxMFRlcHUvSDdwUmhpU0R2bzRPUk14SXpSK3RsZStQSlBjOGdFM1RaZUNyQzlBbjAKaDQ0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBbFZiVFNFdk9LKytJRVJkaytoREdYMmtRQ0tjeE1jU05Wck9Sc0lLbGZVcGVLUTQ2CjNyVmk1UE1INFU2Vlg5NW1uejJmRVFVbkZZbjhHRUUxUzRPZFVnWGg0SU5BbVZDMTdMT3d6RnNGVVZPSFJiSUwKdG11TDVpeHNqTlF3Qk9DM0h5WFArMXMvYTRkSDlSa2I5Y0JyYys5Wm1zYTBnbWxoTlU5cG54QmIweExsbmdDRgpNSU92UnNIbEZrNnE3OFRVWGZlOFpJV1QrT21DTzB2S0NYS01nR3JOY1VPQnBSeDFLOTdxSWpkZ3RkMmY4bTF4CnlNUUViSTc5YlZydUNyQlRscVVxQ0hNdXhzZjBwYXlUNmdHQjdRQkNZUDJkR2Rvb21KWkl0R09YOUFNZ2U2S0sKOWxTaDEvYVU4MFZmUWk4T2lYUUJqV0Y0NVNCakpqZS9PVXFPeXdJREFRQUJBb0lCQUdvMitzYnN3NUtVSnQ2aApHUHlTZWNUYVlNRUd5UUp3bldZUkNZblZJZ2Jlb2VIcGNRMTlUUDB4cldVZUV6ZkFZcFRYcXc3YjcxUnVjNUo4CnJuOHErUFdob1dtaGNJeWF6d212TkF2a29QK2F2UmRnN3R1cjJqQzNYKzA1N1gxS3BuUE0zUVFWZmlIb2NkRnQKTG1tM2xiVTdneXVHTUZTZ3hyYTM2Sk50ZXlHL3RORVlOVWRoME0xNGIrekIzSnkwV3lhQ25hVE1qL2hKZm9QbAp3c2JKVGt1UWtpZE11VkQrVkV1UWR2UDNUaUxxeFBsRDdZTjZMSGhsSVl6eWVzSVZnaTYvSlozRWdsRjk3cWpPCm5Wa2ZvN040Mk1LQTc5b3dzanVDOXJ6c3hBM2FqV1pPOTRTbjZkQ1VsZEltb3NkV3hwclFNZTNKeXpaWEV6YmwKYmJlMGxxRUNnWUVBeGQvMDdDcHBwcjV2aUVBMmJZZS9URGs1SVhtWldVbDJMNEk2a3d1RGFuUFRMUGlSNDUzUgpUWnRKaXlEVlNRckc2b1djc0ZOZloxNzhYVlBsQjI4dWNzeWw4QzAxZC9wRHE5TkF2NHJQOEpBalNVNEVTMU9uCmFoQ241ZXBKeFZTbFVBenVDb3V1UURwK1Nvc2FjMkZGTTB3YnN6SjVCazhFcXN4VDRWWldhSTBDZ1lFQXdUVUYKaFhsYW1SYjZuTWZDNkFXMDg2bi9EMlg2akcwQ2FVRksvOTZtZjdmdWV6RUVOei8vRjVydE1BNWdUU3Z0OVNJLwp4UXJ2V0c1VjZsMGxSeGNsSmE1Z0NpSzNGdzNrMWVsQzlNYm01RjF1YlB2bHhzTUNmN2k5SkZWWExQY0hYek9iCmlRZkZ2U2ZRblBqSXpmZnRsSlIwL2pQcVR6ZFlYZXJtdUNObG1yY0NnWUVBdkdzZWFJZVdaUDJ2YkhsZ21ubUoKa2dablBWWHh6TkNqNW1kR2FXQ3NPWUNqRkk1NU5ObkJSUG5hVk0zbDZwQ0ZpeW5CWXpGd2hoa3ZpNXJvV21UbgpRTTlZTDFTTk5ucXJWNEZvaFR1ajk3ajRzTVBHV1FnR1FYd3N0RVNkREhjbWx3eEkydWZZL0RYMnJmcTVMQ2J5Cll2OVUzUlR4b3kwNUQzNVRYUjMrVjcwQ2dZRUFuM0luWlZpYUNQOHF3Wm9sNHA5YkR6KzZ5N1ZvU04xcGdQMnUKYkcwTjBSYzFDNXVQRkIyUFlxYXJtZDR6WVZ5Z200MnhQT2JpVVlOMUNkM205cjFHSGN2RFhIbjd5VjNnL1J2cwo4dDczQzMyRHRSTkpOSGdaSnRpSjEyTktkMFJDWkRITjZROXVBOFhJNXRKMXZXMGZOMkF4RU53OVFUUzJpNE5nCjlwUFh0UThDZ1lFQWxkNTdFQ1FTWGlmOXQyU3ZEaUo0aHkrU3VKR25sR2plZVp0MVdRaFNpbWZhRDRIZVhRVE8Kcy96VTNtL3Y2WVpuUmpnSkp6bkU3L3I1WWgzRjFlbmJKem1VNnI1V3U4cHFuK0l1RWNjRytaRUpkc3Y5aG9iRwprVnAvUFg0cUNhQnVsQlVkSHFtb0xOUDIxOGRuR1FsMmEyckZEUjQvVHUwQjNuUk5Ra01VYjg0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
用上面的到的集群配置信息来生成对应用的config文件
apiVersion: v1
kind: Config
users:
- name: {Service_Account.Name}
user:
token: {TOKEN content of the service account}
clusters:
- cluster:
certificate-authority-data: {certificate-authority-data from cluster-info.yaml}
server: ${server from cluster-info.yaml}
name: ${name from cluster-info.yaml}
contexts:
- context:
cluster: ${name from cluster-info.yaml}
user: {Service_Account.Name}
name: {Service_Account.Name}-context
current-context: {Service_Account.Name}-context
创建RBAC权限控制;不通用户的权限管理实际上是在这个地方控制的
kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: ${Service_Account.Name}-role
rules:
- apiGroups: [""]
resources:
- endpoints
- pods
- pods/attach
- pods/binding
- pods/status
- pods/exec
- pods/log
- events
- services
- services/proxy
- services/status
- nodes
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- pods/exec
verbs: ["*"]
- apiGroups:
- apps
resources:
- deployments
- daemonsets/status
- statefulsets
- daemonsets
- replicasets
- deployments/status
- replicasets/status
- statefulsets/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingresses/status
verbs:
- get
- list
- watch
EOF
kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ${Service_Account.Name}-role-bind
namespace: default
subjects:
- kind: User
name: ${Service_Account.Name}
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: ${Service_Account.Name}-role
apiGroup: rbac.authorization.k8s.io
EOF
这里直接奉上脚本
#!/bin/bash
#创建一个k8s用户,并赋予defaults空间部分资源的只读服务
UserName=wiz-reader
ApiServerEndpoints=`awk '$0~/server/{print $NF}' ~/.kube/config`
ClusterName=qa-test
NS=default
mkdir -p /etc/kubernetes/pki/client/${UserName}
cd /etc/kubernetes/pki/client/${UserName}
#创建用户证书
openssl genrsa -out ${UserName}.key 2048
openssl req -new -key ${UserName}.key -out ${UserName}.csr -subj "/CN=${UserName}"
openssl x509 -req -in ${UserName}.csr -CA /etc/kubernetes/pki/ca.crt \
-CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ${UserName}.crt -days 3650
#查看证书有效期限
#openssl x509 -noout -text -in ${UserName}.crt
#创建user 访问Kubernetes config file
#设置一个集群名称并倒入证书
kubectl config set-cluster ${ClusterName} \
--server=${ApiServerEndpoints} \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--embed-certs=true \
--kubeconfig=./${UserName}.config
# 将客户的证书导入配置文件
kubectl config set-credentials ${UserName} \
--client-certificate=${UserName}.crt \
--client-key=${UserName}.key \
--embed-certs=true \
--kubeconfig=./${UserName}.config
#nsmaspace 设置用户默认访问的ns
#设置上下文,把集群和用户导入到一起
kubectl config set-context ${UserName}@${ClusterName} \
--cluster ${ClusterName} \
--user=${UserName} \
--namespace=${NS} \
--kubeconfig=./${UserName}.config
#将用户绑定到上下文上
kubectl config use-context ${UserName}@${ClusterName} \
--kubeconfig=./${UserName}.config
#创建role角色设置权限
kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: ${NS}
name: ${UserName}-role
rules:
- apiGroups: [""]
resources:
- endpoints
- pods
- pods/attach
- pods/binding
- pods/status
- pods/exec
- pods/log
- events
- services
- services/proxy
- services/status
- nodes
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- pods/exec
verbs: ["*"]
- apiGroups:
- apps
resources:
- deployments
- daemonsets/status
- statefulsets
- daemonsets
- replicasets
- deployments/status
- replicasets/status
- statefulsets/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingresses/status
verbs:
- get
- list
- watch
EOF
kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ${UserName}-role-bind
namespace: ${NS}
subjects:
- kind: User
name: ${UserName}
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: ${UserName}-role
apiGroup: rbac.authorization.k8s.io
EOF
#创建用户
useradd -m ${UserName}
echo "${UserName}:Zs1gmm!" | chpasswd
mkdir -p /home/${UserName}/.kube/
cp $PWD/${UserName}.config /home/${UserName}/.kube/config
chown ${UserName}.${UserName} /home/${UserName}/.kube/config
chmod 600 /home/${UserName}/.kube/config
echo "kubernetes The configuration file location is $PWD/${UserName}.config"
echo "test command: KUBECONFIG=$PWD/${UserName}.config kubectl get pods"
这里给出我一直很有疑问的问题,就是我怎么知道有哪些apiGroup,这些APIGroup里面又有哪些resources资源呢?
列出当前集群中可用的APIGroups
有两种方法,一种是在Kubernetes 的接口文档上:
还有一种是我们可以通过命令获取
$ kubectl api-versions
admissionregistration.k8s.io/v1
admissionregistration.k8s.io/v1beta1
apiextensions.k8s.io/v1
apiextensions.k8s.io/v1beta1
apiregistration.k8s.io/v1
apiregistration.k8s.io/v1beta1
apps/v1
authentication.k8s.io/v1
authentication.k8s.io/v1beta1
authorization.k8s.io/v1
authorization.k8s.io/v1beta1
autoscaling/v1
autoscaling/v2beta1
autoscaling/v2beta2
batch/v1
batch/v1beta1
certificates.k8s.io/v1
certificates.k8s.io/v1beta1
coordination.k8s.io/v1
coordination.k8s.io/v1beta1
discovery.k8s.io/v1beta1
events.k8s.io/v1
events.k8s.io/v1beta1
extensions/v1beta1
flowcontrol.apiserver.k8s.io/v1beta1
metrics.k8s.io/v1beta1
networking.k8s.io/v1
networking.k8s.io/v1beta1
node.k8s.io/v1
node.k8s.io/v1beta1
policy/v1beta1
rbac.authorization.k8s.io/v1
rbac.authorization.k8s.io/v1beta1
scheduling.k8s.io/v1
scheduling.k8s.io/v1beta1
storage.k8s.io/v1
storage.k8s.io/v1beta1
v1
获取resources
$ kubectl api-resources -o wide
NAME SHORTNAMES APIVERSION NAMESPACED KIND VERBS
bindings v1 true Binding [create]
componentstatuses cs v1 false ComponentStatus [get list]
configmaps cm v1 true ConfigMap [create delete deletecollection get list patch update watch]
endpoints ep v1 true Endpoints [create delete deletecollection get list patch update watch]
events ev v1 true Event [create delete deletecollection get list patch update watch]
limitranges limits v1 true LimitRange [create delete deletecollection get list patch update watch]
namespaces ns v1 false Namespace [create delete get list patch update watch]
nodes no v1 false Node [create delete deletecollection get list patch update watch]
persistentvolumeclaims pvc v1 true PersistentVolumeClaim [create delete deletecollection get list patch update watch]
persistentvolumes pv v1 false PersistentVolume [create delete deletecollection get list patch update watch]
pods po v1 true Pod [create delete deletecollection get list patch update watch]
podtemplates v1 true PodTemplate [create delete deletecollection get list patch update watch]
replicationcontrollers rc v1 true ReplicationController [create delete deletecollection get list patch update watch]
resourcequotas quota v1 true ResourceQuota [create delete deletecollection get list patch update watch]
secrets v1 true Secret [create delete deletecollection get list patch update watch]
serviceaccounts sa v1 true ServiceAccount [create delete deletecollection get list patch update watch]
services svc v1 true Service [create delete get list patch update watch]
mutatingwebhookconfigurations admissionregistration.k8s.io/v1 false MutatingWebhookConfiguration [create delete deletecollection get list patch update watch]
validatingwebhookconfigurations admissionregistration.k8s.io/v1 false ValidatingWebhookConfiguration [create delete deletecollection get list patch update watch]
customresourcedefinitions crd,crds apiextensions.k8s.io/v1 false CustomResourceDefinition [create delete deletecollection get list patch update watch]
apiservices apiregistration.k8s.io/v1 false APIService [create delete deletecollection get list patch update watch]
controllerrevisions apps/v1 true ControllerRevision [create delete deletecollection get list patch update watch]
daemonsets ds apps/v1 true DaemonSet [create delete deletecollection get list patch update watch]
deployments deploy apps/v1 true Deployment [create delete deletecollection get list patch update watch]
replicasets rs apps/v1 true ReplicaSet [create delete deletecollection get list patch update watch]
statefulsets sts apps/v1 true StatefulSet [create delete deletecollection get list patch update watch]
tokenreviews authentication.k8s.io/v1 false TokenReview [create]
localsubjectaccessreviews authorization.k8s.io/v1 true LocalSubjectAccessReview [create]
selfsubjectaccessreviews authorization.k8s.io/v1 false SelfSubjectAccessReview [create]
selfsubjectrulesreviews authorization.k8s.io/v1 false SelfSubjectRulesReview [create]
subjectaccessreviews authorization.k8s.io/v1 false SubjectAccessReview [create]
horizontalpodautoscalers hpa autoscaling/v1 true HorizontalPodAutoscaler [create delete deletecollection get list patch update watch]
cronjobs cj batch/v1beta1 true CronJob [create delete deletecollection get list patch update watch]
jobs batch/v1 true Job [create delete deletecollection get list patch update watch]
certificatesigningrequests csr certificates.k8s.io/v1 false CertificateSigningRequest [create delete deletecollection get list patch update watch]
leases coordination.k8s.io/v1 true Lease [create delete deletecollection get list patch update watch]
endpointslices discovery.k8s.io/v1beta1 true EndpointSlice [create delete deletecollection get list patch update watch]
events ev events.k8s.io/v1 true Event [create delete deletecollection get list patch update watch]
ingresses ing extensions/v1beta1 true Ingress [create delete deletecollection get list patch update watch]
flowschemas flowcontrol.apiserver.k8s.io/v1beta1 false FlowSchema [create delete deletecollection get list patch update watch]
prioritylevelconfigurations flowcontrol.apiserver.k8s.io/v1beta1 false PriorityLevelConfiguration [create delete deletecollection get list patch update watch]
nodes metrics.k8s.io/v1beta1 false NodeMetrics [get list]
pods metrics.k8s.io/v1beta1 true PodMetrics [get list]
ingressclasses networking.k8s.io/v1 false IngressClass [create delete deletecollection get list patch update watch]
ingresses ing networking.k8s.io/v1 true Ingress [create delete deletecollection get list patch update watch]
networkpolicies netpol networking.k8s.io/v1 true NetworkPolicy [create delete deletecollection get list patch update watch]
runtimeclasses node.k8s.io/v1 false RuntimeClass [create delete deletecollection get list patch update watch]
poddisruptionbudgets pdb policy/v1beta1 true PodDisruptionBudget [create delete deletecollection get list patch update watch]
podsecuritypolicies psp policy/v1beta1 false PodSecurityPolicy [create delete deletecollection get list patch update watch]
clusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBinding [create delete deletecollection get list patch update watch]
clusterroles rbac.authorization.k8s.io/v1 false ClusterRole [create delete deletecollection get list patch update watch]
rolebindings rbac.authorization.k8s.io/v1 true RoleBinding [create delete deletecollection get list patch update watch]
roles rbac.authorization.k8s.io/v1 true Role [create delete deletecollection get list patch update watch]
priorityclasses pc scheduling.k8s.io/v1 false PriorityClass [create delete deletecollection get list patch update watch]
csidrivers storage.k8s.io/v1 false CSIDriver [create delete deletecollection get list patch update watch]
csinodes storage.k8s.io/v1 false CSINode [create delete deletecollection get list patch update watch]
storageclasses sc storage.k8s.io/v1 false StorageClass [create delete deletecollection get list patch update watch]
volumeattachments storage.k8s.io/v1 false VolumeAttachment [create delete deletecollection get list patch update watch]
查看指定apiGroup下的资源
$ kubectl api-resources --api-group apps -o wide
NAME SHORTNAMES APIVERSION NAMESPACED KIND VERBS
controllerrevisions apps/v1 true ControllerRevision [create delete deletecollection get list patch update watch]
daemonsets ds apps/v1 true DaemonSet [create delete deletecollection get list patch update watch]
deployments deploy apps/v1 true Deployment [create delete deletecollection get list patch update watch]
replicasets rs apps/v1 true ReplicaSet [create delete deletecollection get list patch update watch]
statefulsets sts apps/v1 true StatefulSet [create delete deletecollection get list patch update watch]
这个里面显示的是初略的resource,我们如果想更加细化一点,那我们就只能翻k8s 的api接口文档了,文档地址是:
比如我们要看deployment相关的:
我们查看deployment资源的status,
所以resource 就会有一个是deployments/status
apiGroups | resources |
---|---|
“” | configmaps |
“” | endpoints |
“” | events |
“” | persistentvolumeclaims |
“” | persistentvolumeclaims/status |
“” | pods |
“” | pods/attach |
“” | pods/binding |
“” | pods/eviction |
“” | pods/exec |
“” | pods/log |
“” | pods/portforward |
“” | pods/proxy |
“” | pods/status |
“” | podtemplates |
“” | replicationcontrollers |
“” | replicationcontrollers/scale |
“” | replicationcontrollers/status |
“” | resourcequotas |
“” | resourcequotas/status |
“” | secrets |
“” | serviceaccounts |
“” | serviceaccounts/token |
“” | services |
“” | services/proxy |
“” | services/status |
Apps | controllerrevisions |
Apps | daemonsets |
Apps | daemonsets/status |
Apps | deployments |
Apps | deployments/scale |
Apps | deployments/status |
Apps | replicasets |
Apps | replicasets/scale |
Apps | replicasets/status |
Apps | statefulsets |
Apps | statefulsets/scale |
Apps | statefulsets/status |
metrics.k8s.io | pods |
networking.k8s.io/v1 | ingressclasses |
networking.k8s.io/v1 | ingresses |
networking.k8s.io/v1 | networkpolicies |