如何设置Kubernetes ClusterRole绑定,以便为所有命名空间提供对服务帐户的“视图”访问
如何设置Kubernetes ClusterRole绑定,以便为所有命名空间提供对服务帐户的“视图”访问
提问于 2019-11-11 09:09:55
我设置了一个服务帐户和一个集群角色绑定,以使view能够访问所有名称空间的pod:
apiVersion: v1
kind: ServiceAccount
metadata:
name: mine-user
namespace: mine
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mine-rolebinding
subjects:
- kind: User
name: mine-user
namespace: mine
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io我试着用curl列出deployments
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/apis/apps/v1/namespaces/mine/deployments但我发现了一个错误:
"deployments.apps is forbidden: User \"system:serviceaccount:mine:mine-user\" cannot list resource \"deployments\" in API group \"apps\" in the namespace \"mine\""但是,角色绑定仍然存在:
kubectl -n mine describe clusterrolebinding/mine-rolebinding
Name: mine-rolebinding
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: view
Subjects:
Kind Name Namespace
---- ---- ---------
User mine-user mine在使用自定义集群角色时,我也会得到相同的错误:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mine-role
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]$ kubectl -n mine describe clusterrolebinding/mine-rolebinding2
Name: mine-rolebinding2
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: mine-role
Subjects:
Kind Name Namespace
---- ---- ---------
User mine-user mine
$ kubectl -n mine describe clusterrole/mine-role
Name: mine-role
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
deployments.apps [] [] [get list watch]回答 2
Stack Overflow用户
回答已采纳
发布于 2019-11-12 09:32:42
我看到您创建了ServiceAccount,您正在尝试使用subjects.kind: User创建ClusterRoleBinding并传递这个ServiceAccount的名称。这是行不通的。
请将subjects.kind更改为ServiceAccount,并删除ClusterRoleBinding中的subjects.apiGroup。
或者只是应用这个:
apiVersion: v1
kind: ServiceAccount
metadata:
name: mine-user
namespace: mine
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mine-role
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mine-rolebinding
subjects:
- kind: ServiceAccount
name: mine-user
namespace: mine
roleRef:
kind: ClusterRole
name: mine-role
apiGroup: rbac.authorization.k8s.io您可以在库伯奈茨博士中阅读更多关于如何在RoleBinding或ClusterRoleBinding中引用主题的内容。
如果对你有用的话请告诉我。
Stack Overflow用户
发布于 2019-11-11 09:43:57
您还需要定义一个角色。如果您想对部署有一个正确的读取权限,您应该首先检查哪一个组“部署”属于哪个:
kubectl api-资源部署部署应用程序真正的部署
-->属于“应用程序”组
所以角色应该是这样的:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: mine
name: mine-rolebinding
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "watch", "list"]您可以使用auth命令检查您拥有的权限:
kubectl auth can-i watch deployments --namespace mine --as mine-user
yes更多信息:
https://kubernetes.io/docs/reference/access-authn-authz/authorization/ https://kubernetes.io/docs/reference/access-authn-authz/rbac/
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/58798392
复制相关文章
相似问题
腾讯云开发者
