Kubernetes授予用户/服务帐户使用';kubectl cp';命令
我有一个pod,里面有一个java应用程序,java应用程序将监视一个目录,并且自动找到并加载插件包。这些捆绑包是带有CI/CD管道的独立java项目,现在我想在我的CI/CD脚本中使用Kubernetes授予用户/服务帐户使用';kubectl cp';命令,kubernetes,Kubernetes,我有一个pod,里面有一个java应用程序,java应用程序将监视一个目录,并且自动找到并加载插件包。这些捆绑包是带有CI/CD管道的独立java项目,现在我想在我的CI/CD脚本中使用kubectl cp命令来部署这些捆绑包文件,但是,我只想给CI/CD用户最低的权限,是否可以使用kubernetes的RBAC API?kubectl cp内部使用kubectl exec。因此,RBAC需要位于pod的exec子资源上 kind: Role apiVersion: rbac.authoriza
kubectl cp
命令来部署这些捆绑包文件,但是,我只想给CI/CD用户最低的权限,是否可以使用kubernetes的RBAC API?kubectl cp
内部使用kubectl exec
。因此,RBAC需要位于pod
的exec
子资源上
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-copy
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
然后,您可以创建RoleBinding
,将此角色分配给服务帐户
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: pod-copy-rolebinding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
name: default # "name" is case sensitive
namespace: default #namespace where service account is created
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-copy # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
这将使default
命名空间中的服务帐户default
可以执行到default
命名空间中的pod中
同样的角色绑定
也可以应用于用户
,也可以通过提及主题
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: pod-copy-rolebinding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
name: Jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-copy # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
kubectl cp
内部使用kubectl exec
。因此,RBAC需要位于pod
的exec
子资源上
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-copy
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
然后,您可以创建RoleBinding
,将此角色分配给服务帐户
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: pod-copy-rolebinding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
name: default # "name" is case sensitive
namespace: default #namespace where service account is created
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-copy # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
这将使default
命名空间中的服务帐户default
可以执行到default
命名空间中的pod中
同样的角色绑定
也可以应用于用户
,也可以通过提及主题
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: pod-copy-rolebinding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
name: Jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-copy # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
kubectl cp
的最小RBAC角色如下所示:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: copy-to-pod
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["get", "create"]
kubectl cp
的最小RBAC角色如下所示:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: copy-to-pod
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["get", "create"]
你读过这个吗@我想RBAC能提供的是更广泛的特权,比如说在我的pod中有更新动词的角色,而不是我想要的。你可能不想在这里使用
kubectl cp
。(如果一个pod有多个副本,会发生什么情况?如果一个节点发生故障,Kubernetes会在另一个系统上重新调度pod,会发生什么情况?)让您的CI系统生成一个新映像,将其推送到存储库,并让它更新部署规范以升级正在运行的系统。@DavidMaze您说得对,谢谢。您读过这个吗@我想RBAC能提供的是更广泛的特权,比如说在我的pod中有更新动词的角色,而不是我想要的。你可能不想在这里使用kubectl cp
。(如果一个pod有多个副本,会发生什么情况?如果一个节点发生故障,Kubernetes会在另一个系统上重新安排pod,会发生什么情况?)让您的CI系统生成一个新映像,将其推送到存储库,并让它更新部署规范以升级正在运行的系统。@DavidMaze您是对的,谢谢。那么如何生成~/.kube/config呢?我的CI/CD任务在kubernetes Clusters之外运行请提出另一个问题,详细说明要在何处生成kubeconfighow到generate ~/.kube/config,然后?我的CI/CD任务在kubernetes Cluster之外运行请提出另一个问题,并详细说明要在何处生成kubeconfig