Kubernetes 为多个名称空间创建serviceaccount
我正在尝试使用相同的令牌在Kubernetes中创建一个serviceaccount,并且只允许他们访问三个名称空间。这在库伯内特斯可能吗 我所做的: 我创建我的服务帐户:Kubernetes 为多个名称空间创建serviceaccount,kubernetes,Kubernetes,我正在尝试使用相同的令牌在Kubernetes中创建一个serviceaccount,并且只允许他们访问三个名称空间。这在库伯内特斯可能吗 我所做的: 我创建我的服务帐户: kubectl create serviceaccount myuser 我创建了一个角色: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: kubernetes.io/bootstrapping: rba
kubectl create serviceaccount myuser
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: myrole
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
kind: ClusterRoleBinding
metadata:
labels:
name: myRoleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myrole
subjects:
- kind: ServiceAccount
name: myuser
namespace: wordpress
- kind: ServiceAccount
name: myuser
namespace: mysql
- kind: ServiceAccount
name: myuser
namespace: redis
Error from server (Forbidden): pods is forbidden: User
"system:serviceaccount:default:myuser" cannot list resource "secrets" in API group
"" in the namespace "wordpress"
希望有人能帮上忙。试着把这个放在你的集群角色里
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: myrole
rules:
- apiGroups:
- "*"
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
您希望将该clusterrole绑定到所有三个名称空间中的服务帐户。为此,请在每个命名空间中创建一个命名空间角色绑定 i、 e
您正在使用
默认$ kubectl create rolebinding myrolebinding --serviceaccount=default:myuser --clusterrole=myrole --namespace=wordpress
$ kubectl create rolebinding myrolebinding --serviceaccount=default:myuser --clusterrole=myrole --namespace=namespace2
$ kubectl create rolebinding myrolebinding --serviceaccount=default:myuser --clusterrole=myrole --namespace=namespace3