Kubernetes授予用户/服务帐户使用';kubectl cp';命令
我有一个pod,里面有一个java应用程序,java应用程序将监视一个目录,并且自动找到并加载插件包。这些捆绑包是带有CI/CD管道的独立java项目,现在我想在我的CI/CD脚本中使用Kubernetes授予用户/服务帐户使用';kubectl cp';命令,kubernetes,Kubernetes,我有一个pod,里面有一个java应用程序,java应用程序将监视一个目录,并且自动找到并加载插件包。这些捆绑包是带有CI/CD管道的独立java项目,现在我想在我的CI/CD脚本中使用kubectl cp命令来部署这些捆绑包文件,但是,我只想给CI/CD用户最低的权限,是否可以使用kubernetes的RBAC API?kubectl cp内部使用kubectl exec。因此,RBAC需要位于pod的exec子资源上 kind: Role apiVersion: rbac.authoriza
kubectl cpkubectl cpkubectl execpodexeckind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-copy
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
RoleBindingapiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: pod-copy-rolebinding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
name: default # "name" is case sensitive
namespace: default #namespace where service account is created
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-copy # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
defaultdefaultdefault角色绑定用户主题apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: pod-copy-rolebinding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
name: Jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-copy # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
kubectl cpkubectl execpodexeckind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-copy
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
RoleBindingapiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: pod-copy-rolebinding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
name: default # "name" is case sensitive
namespace: default #namespace where service account is created
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-copy # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
defaultdefaultdefault角色绑定用户主题apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: pod-copy-rolebinding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
name: Jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-copy # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
kubectl cpkind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: copy-to-pod
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["get", "create"]
kubectl cpkind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: copy-to-pod
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["get", "create"]
你读过这个吗@我想RBAC能提供的是更广泛的特权,比如说在我的pod中有更新动词的角色,而不是我想要的。你可能不想在这里使用
kubectl cpkubectl cp