限制用户只能访问命名空间中的一项服务
Restrict user to access only one service in a namespace
我一直在尝试这样一种场景,即用户应该能够对命名空间中的服务执行所有操作,除了他应该只能执行读取操作的一项服务。
下面是我用来授予集群级别所有用户服务访问权限的集群角色。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-clusterRole
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- replicationcontrollers
- services
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- serviceaccounts
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- namespaces
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- apps
resources:
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- replicasets
- deployments
verbs:
- get
- list
- watch
- create
- update
- delete
并且我已经为上面的 ClusterRole 创建了关联的 RoleBinding。
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-roleBinding
namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: pradeep
- kind: ServiceAccount
name: default
namespace: test-namespace
roleRef:
kind: ClusterRole
name: test-clusterRole
apiGroup: rbac.authorization.k8s.io
现在,我正在尝试为命名空间 "test-namespace" 创建角色和角色绑定,限制用户 "pradeep" 对特定服务 "test-service" 的只读访问权限,如下所示
角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-role
namespace: test-namespace
rules:
- apiGroups: [""]
resources: ["services"]
resourceNames : ["test-service"]
verbs: ["get","list","watch"]
角色绑定:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-roleBinding1
namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: pradeep
- kind: ServiceAccount
name: default
namespace: test-namespace
roleRef:
kind: Role
name: test-role
apiGroup: rbac.authorization.k8s.io
但是,出于某种原因,用户 "pradeep" 仍然能够删除指定的服务 "test-service"。
test-clusterRole 权限是否覆盖了 test-role 权限?如果是这样,如何解决这个问题。
如果没有,请提出实现此方案的方法。
ClusterRole 和 Role 权限是附加的。 ClusterRole 权限将作为任何命名空间的基本权限,并将特定命名空间的角色权限添加到其中。
如果用户只能访问单个命名空间,则不能将他分配给 ClusterRole。
我一直在尝试这样一种场景,即用户应该能够对命名空间中的服务执行所有操作,除了他应该只能执行读取操作的一项服务。
下面是我用来授予集群级别所有用户服务访问权限的集群角色。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-clusterRole
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- replicationcontrollers
- services
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- serviceaccounts
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- namespaces
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- apps
resources:
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- replicasets
- deployments
verbs:
- get
- list
- watch
- create
- update
- delete
并且我已经为上面的 ClusterRole 创建了关联的 RoleBinding。
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-roleBinding
namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: pradeep
- kind: ServiceAccount
name: default
namespace: test-namespace
roleRef:
kind: ClusterRole
name: test-clusterRole
apiGroup: rbac.authorization.k8s.io
现在,我正在尝试为命名空间 "test-namespace" 创建角色和角色绑定,限制用户 "pradeep" 对特定服务 "test-service" 的只读访问权限,如下所示
角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-role
namespace: test-namespace
rules:
- apiGroups: [""]
resources: ["services"]
resourceNames : ["test-service"]
verbs: ["get","list","watch"]
角色绑定:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-roleBinding1
namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: pradeep
- kind: ServiceAccount
name: default
namespace: test-namespace
roleRef:
kind: Role
name: test-role
apiGroup: rbac.authorization.k8s.io
但是,出于某种原因,用户 "pradeep" 仍然能够删除指定的服务 "test-service"。 test-clusterRole 权限是否覆盖了 test-role 权限?如果是这样,如何解决这个问题。
如果没有,请提出实现此方案的方法。
ClusterRole 和 Role 权限是附加的。 ClusterRole 权限将作为任何命名空间的基本权限,并将特定命名空间的角色权限添加到其中。
如果用户只能访问单个命名空间,则不能将他分配给 ClusterRole。