docker - 如何将 RBAC 权限分配给系统:Kubernetes 中的匿名服务帐户?
问题描述
如何将 RBAC 权限分配给系统:Kubernetes 中的匿名服务帐户?
要了解 Kubernetes,我想为system:anonymous服务帐户分配权限以使用kubectl auth can-i --list.
我创建了以下角色和角色绑定:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: anonymous-review-access
rules:
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectaccessreviews
- selfsubjectrulesreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: anonymous-review-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: anonymous-review-access
subjects:
- kind: ServiceAccount
name: anonymous
namespace: default
在kubectl apply -f ...上述之后,我仍然不允许匿名查看访问权限:
$ kubectl auth can-i --list --as=system:anonymous -n default
Error from server (Forbidden): selfsubjectrulesreviews.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "selfsubjectrulesreviews" in API group "authorization.k8s.io" at the cluster scope
如何创建正确的角色和角色绑定以将权限视为system:anonymous服务帐户?
解决方案
system:anonymous不是服务帐户。未被其他配置的身份验证方法拒绝的请求被视为匿名请求,并赋予用户名system:anonymous和一组system:unauthenticated
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: anonymous-review-access
rules:
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectaccessreviews
- selfsubjectrulesreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: anonymous-review-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: anonymous-review-access
subjects:
- kind: User
name: system:anonymous
namespace: default
kubectl auth can-i --list --as=system:anonymous -n default
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
推荐阅读
- python - 即使满足包要求,也解决anaconda enviroment.yml中的ResolvePackageNotFound错误?
- python - XML/KML 格式不正确
- python - 如何将终端输出显示到 PyQt 中的文本框
- http - 从 net/http.Request.RemoteAddr 获取 IP 地址的最简洁方法是什么
- solr - solrj 是否支持使用 _nest_path_ 字段索引嵌套文档?
- citations - 将引文标签更改为每位作者仅包含一到两个字母
- rust - 如何在线程中借值而不是移动
- opencv - Visual Studio 2017 自动链接依赖的依赖
- tfs - 是否可以在 TFS 关闭时编辑代码
- python - 如何在 Google Colab 中进行文本到语音的转换?