前端之家

  1. 首页
  2. 问答

如何为所有Kubernetes服务帐户授予对特定名称空间的访问权限?

问答

我在GCP中启用了RBAC的Kubernetes集群

对于耕种机,有一个名称空间 ,对于服务而言,有多个

现在,鉴于其全名,我可以为特定服务帐户分配读取者角色

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: tiller-reader
  namespace: tiller
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - "get"
    - "watch"
    - "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tiller-reader-role-binding
  namespace: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tiller-reader
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: system:serviceaccount:my-namespace-1:my-namespace-1-service-account

服务名称空间和帐户是动态创建的。如何自动授予所有服务帐户访问权到Tiller命名空间,例如:获取吊舱?

a8608 回答:如何为所有Kubernetes服务帐户授予对特定名称空间的访问权限?

要向所有服务帐户授予角色,您必须使用Group system:serviceaccounts。

您可以尝试以下配置:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: tiller-reader
  namespace: tiller
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - "get"
    - "watch"
    - "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tiller-reader-role-binding
  namespace: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tiller-reader
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: system:serviceaccounts
kuberneteskubernetes-helmrbac
本文链接:https://www.f2er.com/3131111.html

大家都在问