Aggregate Cluster Role

[llhuii]

https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

目的：可以将多个clusterRole 自动的聚合起来成一个聚合cluster role

例子

获取当前聚合cluster Role:

$ for i in $(k get clusterrole -o name); do k get $i  -o yaml |grep 'aggregationRule' -q && echo $i; done
clusterrole.rbac.authorization.k8s.io/admin                                                                    
clusterrole.rbac.authorization.k8s.io/edit                                                                     
clusterrole.rbac.authorization.k8s.io/view 

$ kubectl get clusterrole admin -o yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
... 此处省略

$ k get clusterrole -l rbac.authorization.k8s.io/aggregate-to-admin=true
NAME                        CREATED AT
edit                        2021-09-14T03:05:31Z
system:aggregate-to-admin   2021-09-14T03:05:31Z

实现原理

在kube-controller-manager里clusterroleaggregation, code

• list/watch clusterrole 资源，放到queue
• worker从queue取 cluster role资源，遍历AggregationRule.ClusterRoleSelectors, 从informer的indexer获取匹配的clusterrole， 放入到rules。 最后更新rules到该aggregate cluster role

[llhuii]

rule 定义https://github.com/kubernetes/api/blob/master/rbac/v1/types.go#L49 例子：

rules:
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["my-config"]
  verbs: ["get"]