在 terraform 中授予事件查看权限
Granting events view permission in terraform
我们有由 Rancher 管理的本地 Kubernetes 集群,我们使用 Terraform 在代码中进行配置。但是,我似乎无法授予我的组 devops 查看集群中事件的权限。
这些是角色和角色绑定:
resource "rancher2_role_template" "events-view" {
name = "Cluster Events View"
description = "Terraform role template to see cluster events"
rules {
api_groups = ["*"]
resources = ["events"]
verbs = ["get", "watch"]
}
}
resource "rancher2_cluster_role_template_binding" "events-view" {
name = "events-view"
cluster_id = rancher2_cluster.rancher_cluster.id
role_template_id = rancher2_role_template.events-view.id
group_principal_id = lookup(var.projects["devops"] , "ldap_cn")
depends_on = [
rancher2_role_template.events-view
]
}
这是 devops 定义:
projects = {
devops = {
ldap_cn = "activedirectory_group://CN=devops,OU=Distribution Groups,OU=My,DC=Company",
name = "devops",
# ...more attributes
},
# ...more projects
}
当我 运行 terraform apply 我看到创建了角色和角色绑定:
rancher2_role_template.events-view: Creating...
rancher2_role_template.events-view: Creation complete after 0s [id=rt-h7xt4]
rancher2_cluster_role_template_binding.events-view: Creating...
rancher2_cluster_role_template_binding.events-view: Creation complete after 2s [id=c-6bdtb:events-view]
kubectl 显示集群角色和角色绑定(针对默认命名空间显示,但也在所有命名空间中复制):
$ kubectl describe clusterrole rt-h7xt4
Name: rt-h7xt4
Labels: cattle.io/creator=norman
Annotations: authz.cluster.cattle.io/clusterrole-owner: rt-h7xt4
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
events.* [] [] [get watch]
$ kubectl describe clusterrolebinding clusterrolebinding-hkc9b
Name: clusterrolebinding-hkc9b
Labels: authz.cluster.cattle.io/rtb-owner=6f990492-8f60-4950-bb8e-cfa4a9760c01
cattle.io/creator=norman
Annotations: <none>
Role:
Kind: ClusterRole
Name: rt-h7xt4
Subjects:
Kind Name Namespace
---- ---- ---------
Group activedirectory_group://CN=devops,OU=Distribution Groups,OU=My,DC=Company
我的用户是 devops AD 组的成员,在 terraform apply 日志中我可以看到创建了角色和绑定模板,但是当我登录 Rancher 并单击Launch kubectl 我看不到任何命名空间的事件:
> kubectl get events
Error from server (Forbidden): events is forbidden: User "u-w8rp43jtbn" cannot list resource "events" in API group "" in the namespace "default"
> kubectl get events -n devops
Error from server (Forbidden): events is forbidden: User "u-w8rp44jtbn" cannot list resource "events" in API group "" in the namespace "devops"
我试过在 api_groups 以及 Kubernetes 和 Rancher API 组中放置和空字符串,但似乎没有任何效果。
问题是我制作了集群角色模板而不是项目角色模板。
在 rancher2_role_template 资源中,我添加了 context = "project" 并将 rancher2_cluster_role_template_binding 更改为 rancher2_project_role_template_binding.
我们有由 Rancher 管理的本地 Kubernetes 集群,我们使用 Terraform 在代码中进行配置。但是,我似乎无法授予我的组 devops 查看集群中事件的权限。
这些是角色和角色绑定:
resource "rancher2_role_template" "events-view" {
name = "Cluster Events View"
description = "Terraform role template to see cluster events"
rules {
api_groups = ["*"]
resources = ["events"]
verbs = ["get", "watch"]
}
}
resource "rancher2_cluster_role_template_binding" "events-view" {
name = "events-view"
cluster_id = rancher2_cluster.rancher_cluster.id
role_template_id = rancher2_role_template.events-view.id
group_principal_id = lookup(var.projects["devops"] , "ldap_cn")
depends_on = [
rancher2_role_template.events-view
]
}
这是 devops 定义:
projects = {
devops = {
ldap_cn = "activedirectory_group://CN=devops,OU=Distribution Groups,OU=My,DC=Company",
name = "devops",
# ...more attributes
},
# ...more projects
}
当我 运行 terraform apply 我看到创建了角色和角色绑定:
rancher2_role_template.events-view: Creating...
rancher2_role_template.events-view: Creation complete after 0s [id=rt-h7xt4]
rancher2_cluster_role_template_binding.events-view: Creating...
rancher2_cluster_role_template_binding.events-view: Creation complete after 2s [id=c-6bdtb:events-view]
kubectl 显示集群角色和角色绑定(针对默认命名空间显示,但也在所有命名空间中复制):
$ kubectl describe clusterrole rt-h7xt4
Name: rt-h7xt4
Labels: cattle.io/creator=norman
Annotations: authz.cluster.cattle.io/clusterrole-owner: rt-h7xt4
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
events.* [] [] [get watch]
$ kubectl describe clusterrolebinding clusterrolebinding-hkc9b
Name: clusterrolebinding-hkc9b
Labels: authz.cluster.cattle.io/rtb-owner=6f990492-8f60-4950-bb8e-cfa4a9760c01
cattle.io/creator=norman
Annotations: <none>
Role:
Kind: ClusterRole
Name: rt-h7xt4
Subjects:
Kind Name Namespace
---- ---- ---------
Group activedirectory_group://CN=devops,OU=Distribution Groups,OU=My,DC=Company
我的用户是 devops AD 组的成员,在 terraform apply 日志中我可以看到创建了角色和绑定模板,但是当我登录 Rancher 并单击Launch kubectl 我看不到任何命名空间的事件:
> kubectl get events
Error from server (Forbidden): events is forbidden: User "u-w8rp43jtbn" cannot list resource "events" in API group "" in the namespace "default"
> kubectl get events -n devops
Error from server (Forbidden): events is forbidden: User "u-w8rp44jtbn" cannot list resource "events" in API group "" in the namespace "devops"
我试过在 api_groups 以及 Kubernetes 和 Rancher API 组中放置和空字符串,但似乎没有任何效果。
问题是我制作了集群角色模板而不是项目角色模板。
在 rancher2_role_template 资源中,我添加了 context = "project" 并将 rancher2_cluster_role_template_binding 更改为 rancher2_project_role_template_binding.