关于ktconnect使用.kube/config连接集群的安全性问题

alibaba / kt-connect

A toolkit for Integrating with your kubernetes dev environment more efficiently

https://alibaba.github.io/kt-connect/#/

GNU General Public License v3.0

1.48k stars 230 forks source link

关于ktconnect使用.kube/config连接集群的安全性问题 #420

Open huxiangquan opened 1 year ago

huxiangquan commented 1 year ago

该文件默认具备集群的全部权限，有了该文件通过kubectl等工具可以实现对集群的完全控制，具有极大风险性。 ktconnect在仅需要实现当下功能的情况下是否应该考虑创建新的用户config连接集群，或者提供相应的权限角色绑定设置？

huxiangquan commented 1 year ago

已测试过可用的ROLE配置 --- apiVersion: rbac.authorization.k8s.io/v1/ kind: ClusterRole metadata: name: ktuser-cr rules: - apiGroups: [""] resources: ["pods","pods/exec","pods/portforward"] #主要是pods/exec和pods/portforward verbs: ["create", "update", "patch", "get", "list","delete"]

将其绑定到serviceAccount上，生成kubeconfig文件即可。