如何制作一个允许对命名空间中的角色和角色绑定进行所有操作的 k8s 角色?
How to make a k8s role that allows all operations on roles and rolebindings in a namespace?
我想创建一个允许在命名空间级别对 "Roles" 和 "RoleBindings"(但不是 ClusterRoles 或 ClusterRoleBindings)执行任何操作的角色。
这是我放在一起的 YAML 角色,但是在将它绑定到服务帐户时,它现在被应用了。我做错了什么?
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-binder
namespace: foo-namespace
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- Role
- RoleBinding
verbs:
- '*'
您可以通过以下规则实现:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: role-grantor
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["rolebindings"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: role-grantor-binding
namespace: office
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: role-grantor
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: employee
我在我的实验室进行了测试,它如您所愿:
$ kubectl --context=employee-context get role
NAME AGE
deployment-manager 15m
role-binder 12m
$ kubectl --context=employee-context get rolebindings
NAME AGE
deployment-manager-binding 15m
role-grantor-binding 3m37s
$ kubectl --context=employee-context get clusterrolebindings
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "employee" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
您可以在 documentation.
中具体阅读更多相关信息
我想创建一个允许在命名空间级别对 "Roles" 和 "RoleBindings"(但不是 ClusterRoles 或 ClusterRoleBindings)执行任何操作的角色。
这是我放在一起的 YAML 角色,但是在将它绑定到服务帐户时,它现在被应用了。我做错了什么?
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-binder
namespace: foo-namespace
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- Role
- RoleBinding
verbs:
- '*'
您可以通过以下规则实现:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: role-grantor
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["rolebindings"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: role-grantor-binding
namespace: office
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: role-grantor
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: employee
我在我的实验室进行了测试,它如您所愿:
$ kubectl --context=employee-context get role
NAME AGE
deployment-manager 15m
role-binder 12m
$ kubectl --context=employee-context get rolebindings
NAME AGE
deployment-manager-binding 15m
role-grantor-binding 3m37s
$ kubectl --context=employee-context get clusterrolebindings
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "employee" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
您可以在 documentation.
中具体阅读更多相关信息