如何指定用于扩展特定部署的 kubernetes RBAC 权限

how to specify kubernetes RBAC permissions for scaling a specific deployment

我正在尝试授予一组用户在 kubernetes 1.20 中扩展一组特定部署的权限

我试过在此处使用 API 参考文档:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#patch-scale-deployment-v1-apps 像这样设置资源名称:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
  resources:
    - /namespaces/my-namespace-name/deployments/my-deployment-name/scale
    - deployments/my-deployment-name/scale
  verbs:
    - update
    - patch

这行不通:

$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
Error from server (Forbidden): deployments.apps "my-deployment-name" is forbidden: User "kubeoperatorrole" cannot patch resource "deployments/scale" in API group "apps" in the namespace "my-namespace-name"

让缩放命令起作用的唯一方法是授予所有部署的权限(不是我想要的),如下所示:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
  resources:
    - deployments/scale
  verbs:
    - update
    - patch
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
deployment.apps/my-deployment-name scaled

按名称指定特定部署资源的正确语法是什么,或者这是不可能的? 我的目标部署无法移动到独立的命名空间。

resources 不是您要查找的内容,它是 resourceNames,它必须是特定的对象名称,例如 resourceNames: [my-deployment-name]。总的来说,这不是一个很好的方法,期望您将按名称空间对事物进行分段,并仅在一个名称空间(或两个或三个或任何名称)中授予它们权限。

尝试:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
- apiGroups: ["apps"]
  resources:
  - deployments/scale
  resourceNames: ["my-deployment-name"]  # <-- name of your deployment here
  verbs:
  - update
  - patch