Azure Kubernetes - 具有删除功能的自定义角色 pods
Azure Kubernetes - custom role with delete pods
我在微软文档中发现了一个 yaml,它同意在命名空间内的所有资源中执行所有操作。我修改了这个 yaml 以避免删除动词并且它工作正常:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myaksrole_useraccess
namespace: mynamespace
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["create", "patch", "get", "update", "list"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["create", "patch", "get", "update", "list"]
我的问题是:如何在这个 yaml 中只为 pods 资源添加删除?
让我们从原始定义中检查 myaksrole_useraccess 角色:
kubectl describe role myaksrole_useraccess -n mynamespace
Name: myaksrole_useraccess
kind: Role
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [create patch get update list]
*.apps [] [] [create patch get update list]
cronjobs.batch [] [] [create patch get update list]
jobs.batch [] [] [create patch get update list]
*.extensions [] [] [create patch get update list]
然后我们可以为 Pods 资源添加额外的权限。更新后的角色定义如下所示。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myaksrole_useraccess
namespace: mynamespace
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["create", "patch", "get", "update", "list"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["create", "patch", "get", "update", "list"]
- apiGroups: [""]
resources:
- pods
verbs: ["delete", "create", "patch", "get", "update", "list"]
应用更改:
kubectl apply -f myaksrole_useraccess.yaml
再次检查 myaksrole_useraccess 角色:
kubectl describe role myaksrole_useraccess -n mynamespace
Name: myaksrole_useraccess
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [create patch get update list]
*.apps [] [] [create patch get update list]
cronjobs.batch [] [] [create patch get update list]
jobs.batch [] [] [create patch get update list]
*.extensions [] [] [create patch get update list]
pods [] [] [delete create patch get update list]
我在微软文档中发现了一个 yaml,它同意在命名空间内的所有资源中执行所有操作。我修改了这个 yaml 以避免删除动词并且它工作正常:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myaksrole_useraccess
namespace: mynamespace
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["create", "patch", "get", "update", "list"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["create", "patch", "get", "update", "list"]
我的问题是:如何在这个 yaml 中只为 pods 资源添加删除?
让我们从原始定义中检查 myaksrole_useraccess 角色:
kubectl describe role myaksrole_useraccess -n mynamespace
Name: myaksrole_useraccess
kind: Role
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [create patch get update list]
*.apps [] [] [create patch get update list]
cronjobs.batch [] [] [create patch get update list]
jobs.batch [] [] [create patch get update list]
*.extensions [] [] [create patch get update list]
然后我们可以为 Pods 资源添加额外的权限。更新后的角色定义如下所示。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myaksrole_useraccess
namespace: mynamespace
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["create", "patch", "get", "update", "list"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["create", "patch", "get", "update", "list"]
- apiGroups: [""]
resources:
- pods
verbs: ["delete", "create", "patch", "get", "update", "list"]
应用更改:
kubectl apply -f myaksrole_useraccess.yaml
再次检查 myaksrole_useraccess 角色:
kubectl describe role myaksrole_useraccess -n mynamespace
Name: myaksrole_useraccess
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
* [] [] [create patch get update list]
*.apps [] [] [create patch get update list]
cronjobs.batch [] [] [create patch get update list]
jobs.batch [] [] [create patch get update list]
*.extensions [] [] [create patch get update list]
pods [] [] [delete create patch get update list]