如何获得对 Kubernetes 上多个命名空间的管理员访问权限?
How to get admin access to multiple namespaces on Kubernetes?
我有一个包含两部分的应用程序:一个部署程序和应用程序运行时环境。部署者需要访问不同的命名空间才能启动、编辑和删除应用程序部署、svc、configmaps 等。
我首先通过 helm chart 启动部署器,然后部署器公开一些 API 来管理应用程序(启动、编辑、删除)。
我的问题是如何为我的部署程序编写 ClusterRole ,它只能访问一组预先创建的命名空间而不赋予它完整的集群访问权限(部署程序不应该能够创建、编辑或删除命名空间)。或者我必须为每个命名空间创建一个 Role 并在安装之前将它们添加到部署程序的 Helm 图表中?
您可以创建一个 ClusterRole 来描述该角色可以做什么。然后在每个你希望角色用户拥有权限的命名空间中创建一个RoleBinding。这是来自 documentation:
的一个很好的例子
A RoleBinding can also reference a ClusterRole to grant the permissions defined in that ClusterRole to resources inside the RoleBinding's namespace. This kind of reference lets you define a set of common roles across your cluster, then reuse them within multiple namespaces.
For instance, even though the following RoleBinding refers to a ClusterRole, "dave" (the subject, case sensitive) will only be able to read Secrets in the "development" namespace, because the RoleBinding's namespace (in its metadata) is "development".
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "dave" to read secrets in the "development" namespace.
# You need to already have a ClusterRole named "secret-reader".
kind: RoleBinding
metadata:
name: read-secrets
#
# The namespace of the RoleBinding determines where the permissions are granted.
# This only grants permissions within the "development" namespace.
namespace: development
subjects:
- kind: User
name: dave # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
我有一个包含两部分的应用程序:一个部署程序和应用程序运行时环境。部署者需要访问不同的命名空间才能启动、编辑和删除应用程序部署、svc、configmaps 等。
我首先通过 helm chart 启动部署器,然后部署器公开一些 API 来管理应用程序(启动、编辑、删除)。
我的问题是如何为我的部署程序编写 ClusterRole ,它只能访问一组预先创建的命名空间而不赋予它完整的集群访问权限(部署程序不应该能够创建、编辑或删除命名空间)。或者我必须为每个命名空间创建一个 Role 并在安装之前将它们添加到部署程序的 Helm 图表中?
您可以创建一个 ClusterRole 来描述该角色可以做什么。然后在每个你希望角色用户拥有权限的命名空间中创建一个RoleBinding。这是来自 documentation:
A RoleBinding can also reference a ClusterRole to grant the permissions defined in that ClusterRole to resources inside the RoleBinding's namespace. This kind of reference lets you define a set of common roles across your cluster, then reuse them within multiple namespaces.
For instance, even though the following RoleBinding refers to a ClusterRole, "dave" (the subject, case sensitive) will only be able to read Secrets in the "development" namespace, because the RoleBinding's namespace (in its metadata) is "development".
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "dave" to read secrets in the "development" namespace.
# You need to already have a ClusterRole named "secret-reader".
kind: RoleBinding
metadata:
name: read-secrets
#
# The namespace of the RoleBinding determines where the permissions are granted.
# This only grants permissions within the "development" namespace.
namespace: development
subjects:
- kind: User
name: dave # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io