是否所有的gitlab托管服务账号都可以有一定的角色绑定
Can all gitlab managed service account have a certain role binding
我喜欢给每个 gitlab 命名空间/项目(微服务)一个 ServiceMonitor 来自 monitoring.coreos.com [=12] =].
但是当 运行 一个 gitlab 管道创建它时,会出现一个错误,即
无法创建此资源
servicemonitors.monitoring.coreos.com "service-monitor" is forbidden: User "system:serviceaccount:ABC_NAMESPACE:ABC-dev-service-account" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "ABC_NAMESPACE"
所以我通过为单个命名空间应用 Role 和 RoleBinding 来解决一个微服务,但对所有的人都这样做真的很好。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service_cluster_monitor_reader
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
resources: ["servicemonitors"]
verbs: ["get", "create", "update", "patch", "delete"]
---
kind: CluserRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-monitor-binding
subjects:
- kind: ServiceAccount
name: gitlab-project-id-dev-service-account
roleRef:
kind: ClusterRole
name: service_cluster_monitor_reader
apiGroup: rbac.authorization.k8s.io
是否可以给所有 gitlab 创建的命名空间一个角色绑定来获得这个权限?
虽然仅在 gitlab 创建的命名空间中将此权限授予服务帐户并非易事,但您可以使用以下方法将此权限分配给集群中所有命名空间中的所有服务帐户。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service_cluster_monitor_reader
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
resources: ["servicemonitors"]
verbs: ["get", "create", "update", "patch", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-monitor-binding
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: service_cluster_monitor_reader
apiGroup: rbac.authorization.k8s.io
通过
验证权限
kubectl auth can-i get servicemonitors --as=system:serviceaccount:ABC_NAMESPACE:ABC-dev-service-account -n ABC_NAMESPACE
我喜欢给每个 gitlab 命名空间/项目(微服务)一个 ServiceMonitor 来自 monitoring.coreos.com [=12] =]. 但是当 运行 一个 gitlab 管道创建它时,会出现一个错误,即
无法创建此资源 servicemonitors.monitoring.coreos.com "service-monitor" is forbidden: User "system:serviceaccount:ABC_NAMESPACE:ABC-dev-service-account" cannot get resource "servicemonitors" in API group "monitoring.coreos.com" in the namespace "ABC_NAMESPACE"
所以我通过为单个命名空间应用 Role 和 RoleBinding 来解决一个微服务,但对所有的人都这样做真的很好。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service_cluster_monitor_reader
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
resources: ["servicemonitors"]
verbs: ["get", "create", "update", "patch", "delete"]
---
kind: CluserRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-monitor-binding
subjects:
- kind: ServiceAccount
name: gitlab-project-id-dev-service-account
roleRef:
kind: ClusterRole
name: service_cluster_monitor_reader
apiGroup: rbac.authorization.k8s.io
是否可以给所有 gitlab 创建的命名空间一个角色绑定来获得这个权限?
虽然仅在 gitlab 创建的命名空间中将此权限授予服务帐户并非易事,但您可以使用以下方法将此权限分配给集群中所有命名空间中的所有服务帐户。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service_cluster_monitor_reader
rules:
- apiGroups: ["monitoring.coreos.com"] # "" indicates the core API group
resources: ["servicemonitors"]
verbs: ["get", "create", "update", "patch", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-monitor-binding
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: service_cluster_monitor_reader
apiGroup: rbac.authorization.k8s.io
通过
验证权限kubectl auth can-i get servicemonitors --as=system:serviceaccount:ABC_NAMESPACE:ABC-dev-service-account -n ABC_NAMESPACE