如何指定用于扩展特定部署的 kubernetes RBAC 权限
how to specify kubernetes RBAC permissions for scaling a specific deployment
我正在尝试授予一组用户在 kubernetes 1.20 中扩展一组特定部署的权限
我试过在此处使用 API 参考文档:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#patch-scale-deployment-v1-apps
像这样设置资源名称:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
resources:
- /namespaces/my-namespace-name/deployments/my-deployment-name/scale
- deployments/my-deployment-name/scale
verbs:
- update
- patch
这行不通:
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
Error from server (Forbidden): deployments.apps "my-deployment-name" is forbidden: User "kubeoperatorrole" cannot patch resource "deployments/scale" in API group "apps" in the namespace "my-namespace-name"
让缩放命令起作用的唯一方法是授予所有部署的权限(不是我想要的),如下所示:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
resources:
- deployments/scale
verbs:
- update
- patch
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
deployment.apps/my-deployment-name scaled
按名称指定特定部署资源的正确语法是什么,或者这是不可能的?
我的目标部署无法移动到独立的命名空间。
resources 不是您要查找的内容,它是 resourceNames,它必须是特定的对象名称,例如 resourceNames: [my-deployment-name]。总的来说,这不是一个很好的方法,期望您将按名称空间对事物进行分段,并仅在一个名称空间(或两个或三个或任何名称)中授予它们权限。
尝试:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
- apiGroups: ["apps"]
resources:
- deployments/scale
resourceNames: ["my-deployment-name"] # <-- name of your deployment here
verbs:
- update
- patch
我正在尝试授予一组用户在 kubernetes 1.20 中扩展一组特定部署的权限
我试过在此处使用 API 参考文档:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#patch-scale-deployment-v1-apps 像这样设置资源名称:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
resources:
- /namespaces/my-namespace-name/deployments/my-deployment-name/scale
- deployments/my-deployment-name/scale
verbs:
- update
- patch
这行不通:
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
Error from server (Forbidden): deployments.apps "my-deployment-name" is forbidden: User "kubeoperatorrole" cannot patch resource "deployments/scale" in API group "apps" in the namespace "my-namespace-name"
让缩放命令起作用的唯一方法是授予所有部署的权限(不是我想要的),如下所示:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
resources:
- deployments/scale
verbs:
- update
- patch
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
deployment.apps/my-deployment-name scaled
按名称指定特定部署资源的正确语法是什么,或者这是不可能的? 我的目标部署无法移动到独立的命名空间。
resources 不是您要查找的内容,它是 resourceNames,它必须是特定的对象名称,例如 resourceNames: [my-deployment-name]。总的来说,这不是一个很好的方法,期望您将按名称空间对事物进行分段,并仅在一个名称空间(或两个或三个或任何名称)中授予它们权限。
尝试:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
- apiGroups: ["apps"]
resources:
- deployments/scale
resourceNames: ["my-deployment-name"] # <-- name of your deployment here
verbs:
- update
- patch