google-kubernetes-engine - 如何使用 Cloud Shell 从 GKE 中的集群角色绑定中删除主题
问题描述
我创建了一个ClusterRole
:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restricted-pods-role
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- restricted-psp
verbs:
- use
我已通过使用以下命令cluster-admin
为用户帐户授予权限:alex.pitt@xcom.net
ClusterRoleBinding
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user alex.pitt@xcom.net
现在我想将相同的集群管理员权限授予 dave.pot@xcom.net 而不是 alex.pitt@xcom.net。
如何从 Cloud Shell 执行此操作?
解决方案
我想将相同的集群管理员权限授予 dave.pot@xcom.net 而不是 alex.pitt@xcom.net。如何从 Cloud Shell 执行此操作?
- 您可以使用来自云 shell 的单个命令执行此操作
kubectl patch
。复制命令并替换newuser@domain.com
为所需的用户:
kubectl patch clusterrolebinding cluster-admin-binding -p '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"newuser@domain.com"}]}'
- 或者您可以使用默认文本编辑器(通常是 vi)在飞行中使用以下命令编辑清单:
kubectl edit clusterrolebinding cluster-admin-binding
我想评论的一件事:
我注意到您创建了一个名为的集群角色
restricted-pods-role
,并且在第二部分您将角色分配给cluster-admin
用户,这可以完全控制集群。您在问题中明确表示这是您的意图,但如果您想要实现的是将刚刚创建的角色分配给用户,则命令将是:
kubectl create clusterrolebinding restricted-pods-binding --clusterrole restricted-pods-role --user someuser@domain.com
- 值得一提的是,Cluster Role Binding将 ClusterRole 中定义的权限授予一个用户或一组用户。它包含一个主题列表(用户、组或服务帐户),因此您可以对多个用户使用相同的绑定。
再生产:
ClusterRoleBinding
我在您的示例中部署了:
$ k get clusterrolebinding cluster-admin-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2020-05-12T14:55:14Z"
name: cluster-admin-binding
resourceVersion: "48399"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin-binding
uid: 7a5055e3-e464-405c-9ed2-891eb671a948
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: alex.pitt@xcom.net
- 并按照上面的说明应用补丁:
$ kubectl patch clusterrolebinding cluster-admin-binding -p '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"newuser@domain.com"}]}'
clusterrolebinding.rbac.authorization.k8s.io/cluster-admin-binding patched
$ k get clusterrolebinding cluster-admin-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2020-05-12T14:55:14Z"
name: cluster-admin-binding
resourceVersion: "49703"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin-binding
uid: 7a5055e3-e464-405c-9ed2-891eb671a948
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: newuser@domain.com
如您所见,用户已被替换。
如果您对此程序仍有任何疑问,请在评论中告诉我。