kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #41556 from Zhuzhenghao/cleanup/abac 

cleanup page abac
pull/30817/head
Kubernetes Prow Robot 2023-06-30 06:18:42 -07:00 committed by GitHub
parent 2bad323592 b1e9fbe945
commit 0e7302f383
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 65 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
content/en/docs/reference/access-authn-authz/abac.md
View File

@ -10,12 +10,14 @@ weight: 80
---
<!-- overview -->
Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together.
Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted
to users through the use of policies which combine attributes together.
<!-- body -->
## Policy File Format
To enable `ABAC` mode, specify `--authorization-policy-file=SOME_FILENAME` and `--authorization-mode=ABAC` on startup.
To enable `ABAC` mode, specify `--authorization-policy-file=SOME_FILENAME` and `--authorization-mode=ABAC`
on startup.
The file format is [one JSON object per line](https://jsonlines.org/). There
should be no enclosing list or map, only one map per line.
@ -24,12 +26,16 @@ Each line is a "policy object", where each such object is a map with the followi
properties:
- Versioning properties:
- `apiVersion`, type string; valid values are "abac.authorization.kubernetes.io/v1beta1". Allows versioning and conversion of the policy format.
- `apiVersion`, type string; valid values are "abac.authorization.kubernetes.io/v1beta1". Allows versioning
and conversion of the policy format.
- `kind`, type string: valid values are "Policy". Allows versioning and conversion of the policy format.
- `spec` property set to a map with the following properties:
- Subject-matching properties:
- `user`, type string; the user-string from `--token-auth-file`. If you specify `user`, it must match the username of the authenticated user.
- `group`, type string; if you specify `group`, it must match one of the groups of the authenticated user. `system:authenticated` matches all authenticated requests. `system:unauthenticated` matches all unauthenticated requests.
- `user`, type string; the user-string from `--token-auth-file`. If you specify `user`, it must match the
username of the authenticated user.
- `group`, type string; if you specify `group`, it must match one of the groups of the authenticated user.
`system:authenticated` matches all authenticated requests. `system:unauthenticated` matches all
unauthenticated requests.
- Resource-matching properties:
- `apiGroup`, type string; an API group.
- Ex: `apps`, `networking.k8s.io`
@ -46,7 +52,8 @@ properties:
- Wildcard:
- `*` matches all non-resource requests.
- `/foo/*` matches all subpaths of `/foo/`.
- `readonly`, type boolean, when true, means that the Resource-matching policy only applies to get, list, and watch operations, Non-resource-matching policy only applies to get operation.
- `readonly`, type boolean, when true, means that the Resource-matching policy only applies to get, list,
and watch operations, Non-resource-matching policy only applies to get operation.
{{< note >}}
An unset property is the same as a property set to the zero value for its type
@ -95,7 +102,9 @@ exposed via the `nonResourcePath` property in a policy (see [examples](#examples
To inspect the HTTP calls involved in a specific kubectl operation you can turn
up the verbosity:
```shell
kubectl --v=8 version
```
## Examples
@ -104,22 +113,26 @@ up the verbosity:
```json
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "alice", "namespace": "*", "resource": "*", "apiGroup": "*"}}
```
2. The Kubelet can read any pods:
1. The kubelet can read any pods:
```json
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "kubelet", "namespace": "*", "resource": "pods", "readonly": true}}
```
3. The Kubelet can read and write events:
1. The kubelet can read and write events:
```json
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "kubelet", "namespace": "*", "resource": "events"}}
```
4. Bob can just read pods in namespace "projectCaribou":
1. Bob can just read pods in namespace "projectCaribou":
```json
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "bob", "namespace": "projectCaribou", "resource": "pods", "readonly": true}}
```
5. Anyone can make read-only requests to all non-resource paths:
1. Anyone can make read-only requests to all non-resource paths:
```json
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group": "system:authenticated", "readonly": true, "nonResourcePath": "*"}}
@ -130,7 +143,8 @@ up the verbosity:
## A quick note on service accounts
Every service account has a corresponding ABAC username, and that service account's username is generated according to the naming convention:
Every service account has a corresponding ABAC username, and that service account's username is generated
according to the naming convention:
```shell
system:serviceaccount:<namespace>:<serviceaccountname>
@ -150,6 +164,3 @@ privilege to the API using ABAC, you would add this line to your policy file:
```
The apiserver will need to be restarted to pick up the new policy lines.