限制 ServiceAccount / Role 以管理所有集群中的秘密
Restrict ServiceAccount / Role to manage secrets in all clusters
我正在尝试限制 ServiceAccount 的 RBAC 权限以管理所有命名空间中的秘密:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-secrets-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- gitlab-registry
verbs:
- get
- list
- create
- update
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab-service-account
namespace: gitlab
secrets:
- name: gitlab-service-account-token-lllll
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-service-account-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gitlab-secrets-manager
subjects:
- kind: ServiceAccount
name: gitlab-service-account
namespace: gitlab
到目前为止,我已经创建了 ServiceAccount 和相关的 CRB,但是操作失败:
secrets "gitlab-registry" is forbidden: User "system:serviceaccount:gitlab:default" cannot get resource "secrets" in API group "" in the namespace "shamil"
有人知道我错过了什么吗?
您可以执行以下步骤:
- 首先,您需要确保集群中存在
gitlab 命名空间中名为 gitlab-service-account 的服务帐户。
- 然后您将创建一个
ClusterRole,如您所提供的:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-secrets-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- gitlab-registry
verbs:
- get
- list
- create
- update
- 然后您还将创建一个
ClusterRoleBinding以在集群级别授予权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-secrets-manager-clusterrolebinding
subjects:
- kind: ServiceAccount
name: gitlab-service-account
namespace: gitlab
roleRef:
kind: ClusterRole
name: gitlab-secrets-manager
apiGroup: rbac.authorization.k8s.io
我正在尝试限制 ServiceAccount 的 RBAC 权限以管理所有命名空间中的秘密:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-secrets-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- gitlab-registry
verbs:
- get
- list
- create
- update
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab-service-account
namespace: gitlab
secrets:
- name: gitlab-service-account-token-lllll
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-service-account-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gitlab-secrets-manager
subjects:
- kind: ServiceAccount
name: gitlab-service-account
namespace: gitlab
到目前为止,我已经创建了 ServiceAccount 和相关的 CRB,但是操作失败:
secrets "gitlab-registry" is forbidden: User "system:serviceaccount:gitlab:default" cannot get resource "secrets" in API group "" in the namespace "shamil"
有人知道我错过了什么吗?
您可以执行以下步骤:
- 首先,您需要确保集群中存在
gitlab命名空间中名为gitlab-service-account的服务帐户。 - 然后您将创建一个
ClusterRole,如您所提供的:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-secrets-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- gitlab-registry
verbs:
- get
- list
- create
- update
- 然后您还将创建一个
ClusterRoleBinding以在集群级别授予权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-secrets-manager-clusterrolebinding
subjects:
- kind: ServiceAccount
name: gitlab-service-account
namespace: gitlab
roleRef:
kind: ClusterRole
name: gitlab-secrets-manager
apiGroup: rbac.authorization.k8s.io