为什么我无法在 kubernetes 中创建 pods 具有足够权限的用户
why i can't create pods a a user with enough permissions in kubernetes
我正在学习有关 RBAC 的教程,我想我理解了主要思想,但我不明白为什么会失败:
kc auth can-i "*" pod/compute --as deploy@test.com
no
kc create clusterrole deploy --verb="*" --resource=pods --resource-name=compute
clusterrole.rbac.authorization.k8s.io/deploy created
kc create clusterrolebinding deploy --user=deploy@test.com --clusterrole=deploy
clusterrolebinding.rbac.authorization.k8s.io/deploy created
# this tells me that deploy@test.com should be able to create a pod named compute
kc auth can-i "*" pod/compute --as deploy@test.com
yes
# but it fails when trying to do so
kc run compute --image=nginx --as deploy@test.com
Error from server (Forbidden): pods is forbidden: User "deploy@test.com" cannot create resource "pods" in API group "" in the namespace "default"
命名空间名称应该与 afaik 无关,因为这是一个集群角色。
不支持限制对特定资源名称的 create 权限。
这是来自 Kubernetes documentation:
Note: You cannot restrict create or deletecollection requests by resourceName. For create, this limitation is because the object name is not known at authorization time.
这意味着您创建的 ClusterRole 不允许您创建任何 Pod。
您需要在未指定资源名称的地方分配另一个 ClusterRole。
我正在学习有关 RBAC 的教程,我想我理解了主要思想,但我不明白为什么会失败:
kc auth can-i "*" pod/compute --as deploy@test.com
no
kc create clusterrole deploy --verb="*" --resource=pods --resource-name=compute
clusterrole.rbac.authorization.k8s.io/deploy created
kc create clusterrolebinding deploy --user=deploy@test.com --clusterrole=deploy
clusterrolebinding.rbac.authorization.k8s.io/deploy created
# this tells me that deploy@test.com should be able to create a pod named compute
kc auth can-i "*" pod/compute --as deploy@test.com
yes
# but it fails when trying to do so
kc run compute --image=nginx --as deploy@test.com
Error from server (Forbidden): pods is forbidden: User "deploy@test.com" cannot create resource "pods" in API group "" in the namespace "default"
命名空间名称应该与 afaik 无关,因为这是一个集群角色。
不支持限制对特定资源名称的 create 权限。
这是来自 Kubernetes documentation:
Note: You cannot restrict create or deletecollection requests by resourceName. For create, this limitation is because the object name is not known at authorization time.
这意味着您创建的 ClusterRole 不允许您创建任何 Pod。
您需要在未指定资源名称的地方分配另一个 ClusterRole。