时间戳

首页 > 解决方案 > 如何制作一个允许对命名空间中的角色和角色绑定进行所有操作的 k8s 角色?

kubernetes - 如何制作一个允许对命名空间中的角色和角色绑定进行所有操作的 k8s 角色?

问题描述

我想创建一个角色,允许在命名空间级别上对“Roles”和“RoleBindings”(但不是 ClusterRoles 或 ClusterRoleBindings)执行任何操作。

这是我放在一起的角色 YAML,但是当它绑定到服务帐户时,它现在被应用了。我做错了什么?

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-binder
  namespace: foo-namespace
rules:
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - Role
  - RoleBinding
  verbs:
  - '*'

标签: kubernetesrbac

解决方案

您可以通过以下规则实现:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: role-grantor
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-grantor-binding
  namespace: office
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: role-grantor
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: employee

我在我的实验室对其进行了测试,它可以按您的意愿工作:

$ kubectl --context=employee-context get role 
NAME                 AGE
deployment-manager   15m
role-binder          12m

$ kubectl --context=employee-context get rolebindings
NAME                         AGE
deployment-manager-binding   15m
role-grantor-binding         3m37s

$ kubectl --context=employee-context get clusterrolebindings
Error from server (Forbidden): clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "employee" cannot list resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope

您可以在文档中详细了解此内容。

推荐阅读