为什么kubernetes不允许更新RoleBinding的RoleRef?
Why kubernetes doesn't allow RoleRef of RoleBinding to be updated?
Kubernetes 不允许更新 RoleBinding 的 RoleRef。
当我像下面这样命令时,kubernetes 显示错误:“无法更改 roleRef”
$ kubectl apply -f - << EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-crb
subjects:
- kind: User
name: user@acme.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
EOF
clusterrolebinding "test-crb" created
$ kubectl apply -f - << EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-crb
subjects:
- kind: User
name: user@acme.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
EOF
The ClusterRoleBinding "test-crb" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"ClusterRole", Name:"view"}: cannot change roleRef
我想知道的是原因。
为什么 kubernetes 不允许用户更新 RoleRef?
有什么特殊原因吗?
roleRef 是不可变的,您需要删除并重新创建引用的 role/clusterorle。这是相关的 documentation.
After you create a binding, you cannot change the Role or ClusterRole
that it refers to. If you try to change a binding's roleRef, you get a
validation error. If you do want to change the roleRef for a binding,
you need to remove the binding object and create a replacement.
>这个限制有两个原因:
- Making roleRef immutable allows granting someone update permission on
an existing binding object, so that they can manage the list of
subjects, without being able to change the role that is granted to
those subjects.
- A binding to a different role is a fundamentally
different binding. Requiring a binding to be deleted/recreated in
order to change the roleRef ensures the full list of subjects in the
binding is intended to be granted the new role (as opposed to enabling
or accidentally modifying only the roleRef without verifying all of
the existing subjects should be given the new role's permissions).
Kubernetes 不允许更新 RoleBinding 的 RoleRef。
当我像下面这样命令时,kubernetes 显示错误:“无法更改 roleRef”
$ kubectl apply -f - << EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-crb
subjects:
- kind: User
name: user@acme.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
EOF
clusterrolebinding "test-crb" created
$ kubectl apply -f - << EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-crb
subjects:
- kind: User
name: user@acme.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
EOF
The ClusterRoleBinding "test-crb" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"ClusterRole", Name:"view"}: cannot change roleRef
我想知道的是原因。
为什么 kubernetes 不允许用户更新 RoleRef?
有什么特殊原因吗?
roleRef 是不可变的,您需要删除并重新创建引用的 role/clusterorle。这是相关的 documentation.
After you create a binding, you cannot change the Role or ClusterRole that it refers to. If you try to change a binding's roleRef, you get a validation error. If you do want to change the roleRef for a binding, you need to remove the binding object and create a replacement.
>这个限制有两个原因:
- Making roleRef immutable allows granting someone update permission on an existing binding object, so that they can manage the list of subjects, without being able to change the role that is granted to those subjects.
- A binding to a different role is a fundamentally different binding. Requiring a binding to be deleted/recreated in order to change the roleRef ensures the full list of subjects in the binding is intended to be granted the new role (as opposed to enabling or accidentally modifying only the roleRef without verifying all of the existing subjects should be given the new role's permissions).