无法在已创建服务帐户、ClusterRole 和 ClusterRolebinding 的命名空间中创建部署
Unable to create deployment in a namespace with service account, ClusterRole and ClusterRolebinding created
我正在练习 Security k8s。这是我遇到的要解决的练习题。
问题:
创建 serviceaccount 'john' 并有权在给定的 namespace 'hr' 中创建删除获取部署、状态集、守护程序集。需要创建 clusterrole and clusterrolebindings。
方法:
已尝试创建 sa 和 clusterrole 以及 clusterrolebinding(将 clusterrole 与创建的 sa 绑定)
但是当我检查时它给出了 'no'
kubectl auth can-i create deploy --as john -n hr
no
创建sa:
kubectl create sa john
创建集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: hrcrole
rules:
- apiGroups: ["apps"]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["get", "watch", "list", "delete"]
创建集群角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
name: hrcrolebind
subjects:
- kind: User
name: hruser # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: hrcrole
apiGroup: rbac.authorization.k8s.io
我也试过在命名空间中创建 serviceaccount,在命名空间中创建 clusterrolebinding,但我仍然没有。不幸的是我没有解决这个问题的方法。在此感谢任何帮助。
您正在尝试 create 部署:
kubectl auth can-i create deploy --as john -n hr
但是您在集群角色中没有允许的 create 动词:
verbs: ["get", "watch", "list", "delete"]
尝试像这样重新创建集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: hrcrole
rules:
- apiGroups: ["apps"]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["create", "get", "watch", "list", "delete"]
我正在练习 Security k8s。这是我遇到的要解决的练习题。
问题:
创建 serviceaccount 'john' 并有权在给定的 namespace 'hr' 中创建删除获取部署、状态集、守护程序集。需要创建 clusterrole and clusterrolebindings。
方法: 已尝试创建 sa 和 clusterrole 以及 clusterrolebinding(将 clusterrole 与创建的 sa 绑定) 但是当我检查时它给出了 'no'
kubectl auth can-i create deploy --as john -n hr
no
创建sa:
kubectl create sa john
创建集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: hrcrole
rules:
- apiGroups: ["apps"]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["get", "watch", "list", "delete"]
创建集群角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
name: hrcrolebind
subjects:
- kind: User
name: hruser # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: hrcrole
apiGroup: rbac.authorization.k8s.io
我也试过在命名空间中创建 serviceaccount,在命名空间中创建 clusterrolebinding,但我仍然没有。不幸的是我没有解决这个问题的方法。在此感谢任何帮助。
您正在尝试 create 部署:
kubectl auth can-i create deploy --as john -n hr
但是您在集群角色中没有允许的 create 动词:
verbs: ["get", "watch", "list", "delete"]
尝试像这样重新创建集群角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: hrcrole
rules:
- apiGroups: ["apps"]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["create", "get", "watch", "list", "delete"]