如何设置kubernetes RBAC资源,以便POD可以通过客户端访问API? 问题
我有一个简单的RBAC配置来访问集群中的Kubernetes API。然而,我从kubectl那里得到的信息似乎相互矛盾。部署清单后,RBAC似乎设置正确如何设置kubernetes RBAC资源,以便POD可以通过客户端访问API? 问题,kubernetes,kubectl,rbac,Kubernetes,Kubectl,Rbac,我有一个简单的RBAC配置来访问集群中的Kubernetes API。然而,我从kubectl那里得到的信息似乎相互矛盾。部署清单后,RBAC似乎设置正确 $ kubectl exec -ti pod/controller -- kubectl auth can-i get namespaces Warning: resource 'namespaces' is not namespace scoped yes 但是,实际发出请求会产生一个权限错误 $ kubectl exec -ti pod
$ kubectl exec -ti pod/controller -- kubectl auth can-i get namespaces
Warning: resource 'namespaces' is not namespace scoped
yes
但是,实际发出请求会产生一个权限错误
$ kubectl exec -ti pod/controller -- kubectl get namespaces
Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:default:controller" cannot list resource "namespaces" in API group "" at the cluster scope
command terminated with exit code 1
显示
其他信息
我已经尝试了kubectl auth confidence-f manifest.yaml以及kubectl apply-f manifest.yaml,结果是相同的
在本例中,我还将read namespaces RoleBinding.subjects[0].namespace设置为正确的默认名称空间。输出没有变化。角色是每个命名空间的,您需要使用ClusterRoleBinding创建集群角色和绑定 如果要将集群角色绑定到特定的命名空间,可以使用ClusterRole上的RoleBinding执行以下操作:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa
namespace: myapp
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-myapp
rules:
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job001
namespace: myapp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: role-myapp
subjects:
- kind: ServiceAccount
name: sa
namespace: myapp
角色是每个命名空间的,您需要使用ClusterRoleBinding创建集群角色和绑定 如果要将集群角色绑定到特定的命名空间,可以使用ClusterRole上的RoleBinding执行以下操作:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa
namespace: myapp
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-myapp
rules:
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job001
namespace: myapp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: role-myapp
subjects:
- kind: ServiceAccount
name: sa
namespace: myapp
命名空间是群集范围的资源。所以你需要一个ClusterRole和一个ClusterRoleBinding
命名空间是群集范围的资源。所以你需要一个ClusterRole和一个ClusterRoleBinding
角色是每个命名空间的,您需要创建一个群集RoleBinding只能由群集角色访问吗?角色是每个命名空间的,您需要创建一个群集roleCan命名空间只能由群集角色访问吗?我可以让它工作,但我还需要将RoleBinding更改为ClusterRoleBinding我可以让它工作,但我还需要将角色绑定更改为ClusterRoleBinding
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'ClusterRole'
metadata:
name: 'read-namespaces'
rules:
- apiGroups:
- ''
resources:
- 'namespaces'
verbs:
- 'get'
- 'watch'
- 'list'
---
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'ClusterRoleBinding'
metadata:
name: 'read-namespaces'
roleRef:
apiGroup: 'rbac.authorization.k8s.io'
kind: 'ClusterRole'
name: 'read-namespaces'
subjects:
- kind: 'ServiceAccount'
name: 'controller'
---