具有观察事件权限的 Kubernetes 集群角色
Kubernetes cluster role with permissions to watch events
我正在尝试创建一个具有观看事件权限的集群角色,但我似乎遗漏了什么。
我正在使用以下内容:
apiVersion: v1
kind: ServiceAccount
metadata:
name: watch-events
namespace: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: watch-events-cluster
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: watch-events-cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: watch-events-cluster
subjects:
- kind: ServiceAccount
name: watch-events
namespace: test
无论我用 kubectl auth can-i watch events --as watch-events 尝试什么,我总是得到 no。
我是不是漏掉了什么?
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions
Default RBAC policies grant scoped permissions to control-plane components, nodes, and controllers, but grant no permissions to service accounts outside the kube-system namespace (beyond discovery permissions given to all authenticated users).
RBAC 是正确的,并且会授予集群范围的权限以监视所有命名空间中的事件,但 kubectl 命令是 incorrect.The 命令应该是
kubectl auth can-i watch events --as=system:serviceaccount:test:watch-events
如果您针对 Kubernetes 的 swagger api 进行 api 调用,您需要使用后缀 .k8s.io[=13] 正确指定事件 api 组=]
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#-strong-api-groups-strong-
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: my-custom-role
namespace: default
rules:
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- '*'
---
我正在尝试创建一个具有观看事件权限的集群角色,但我似乎遗漏了什么。
我正在使用以下内容:
apiVersion: v1
kind: ServiceAccount
metadata:
name: watch-events
namespace: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: watch-events-cluster
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: watch-events-cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: watch-events-cluster
subjects:
- kind: ServiceAccount
name: watch-events
namespace: test
无论我用 kubectl auth can-i watch events --as watch-events 尝试什么,我总是得到 no。
我是不是漏掉了什么?
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions
Default RBAC policies grant scoped permissions to control-plane components, nodes, and controllers, but grant no permissions to service accounts outside the kube-system namespace (beyond discovery permissions given to all authenticated users).
RBAC 是正确的,并且会授予集群范围的权限以监视所有命名空间中的事件,但 kubectl 命令是 incorrect.The 命令应该是
kubectl auth can-i watch events --as=system:serviceaccount:test:watch-events
如果您针对 Kubernetes 的 swagger api 进行 api 调用,您需要使用后缀 .k8s.io[=13] 正确指定事件 api 组=]
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#-strong-api-groups-strong-
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: my-custom-role
namespace: default
rules:
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- '*'
---