kubernetes - allow access to all resources on kubernetes cluster except get nodes
问题描述
Team, I have below cluster role on kubernetes that allows access to everything but I wan't to restrict node level commands and allow all rest.
What to modify below? Basically, user should be able to run
kubectl get all --all-namespaces
but not nodes info should NOT display
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin-test
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
解决方案
规则纯粹是附加的,意味着你不能限制规则。
因此,您需要列出所有可访问的资源,但需要列出具有适当操作的“节点”
例如:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
rules:
- apiGroups: [""]
resources: ["pods","services","namespaces","deployments","jobs"]
verbs: ["get", "watch", "list"]
此外,强烈建议不要更改集群管理员角色。值得创建一个新角色并将用户分配给它。
推荐阅读
- flutter - 如何在 Flutter 项目中添加自定义库?
- java - 错误形式(在 com.going.books.MainActivity.onCreate(MainActivity.java:19))
- redis - Redis命令同步还是异步?
- powershell - 为什么直接放入脚本中的命令时命令行参数不起作用?
- android - 使用 kotlin 和改造时编译出错
- google-search-console - Google Search Console 死锁:无法删除 URL,因此我可以索引不同的 URL
- javascript - 有时机器人不会添加角色并设置昵称
- angular - 在存储中找不到 ng-oidc-client 用户
- ios - Swift - 如何检测一只眼睛眨眼
- javafx - Javafx长触摸隐藏触摸方形效果