允许Kubernetes用户列表/获取名称空间
我有以下用户清单,我想允许myapp用户获取集群中所有名称空间的列表。根据我所查到的,我应该创建一个ClusterRole,但我真的找不到足够的细节。是否有所有apigroup以及相应的资源和动词的列表允许Kubernetes用户列表/获取名称空间,kubernetes,rbac,Kubernetes,Rbac,我有以下用户清单,我想允许myapp用户获取集群中所有名称空间的列表。根据我所查到的,我应该创建一个ClusterRole,但我真的找不到足够的细节。是否有所有apigroup以及相应的资源和动词的列表 apiVersion: v1 kind: ServiceAccount metadata: name: myapp-user namespace: myapp --- kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 me
apiVersion: v1
kind: ServiceAccount
metadata:
name: myapp-user
namespace: myapp
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myapp-user-role
namespace: myapp
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources:
- ingress
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myapp-user
namespace: myapp
subjects:
- kind: ServiceAccount
name: myapp-suer
namespace: myapp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myapp-user-role
我认为将此添加到role.rules可能会有所帮助,但不幸的是没有
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["GET"]
您可以通过以下方式获取API资源:
kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolume
对于创建clusterrole和ClusterLeBinding,下面的命令应该可以使用
kubectl create clusterrole cr --verb=get,list --resource=namespaces
kubectl create clusterrolebinding crb --clusterrole=cr --serviceaccount=default:default
然后测试它
kubectl auth can-i get ns --as=system:serviceaccount:default:default
kubectl auth can-i list ns --as=system:serviceaccount:default:default
您可以通过以下方式获取API资源:
kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolume
对于创建clusterrole和ClusterLeBinding,下面的命令应该可以使用
kubectl create clusterrole cr --verb=get,list --resource=namespaces
kubectl create clusterrolebinding crb --clusterrole=cr --serviceaccount=default:default
然后测试它
kubectl auth can-i get ns --as=system:serviceaccount:default:default
kubectl auth can-i list ns --as=system:serviceaccount:default:default
您可以通过以下命令列出群集支持的所有资源类型:
❯❯❯ kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolume
要查看这些资源上支持的所有操作/动词,您需要查找kubernetes参考文档中与您相关的版本,例如CronJobs
您可以通过以下命令列出集群支持的所有资源类型:
❯❯❯ kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolume
要查看这些资源上支持的所有操作/动词,您需要查找kubernetes参考文档中与您相关的版本,例如CronJobs
多亏了@abhishek jaisingh和@arghya sadhu的回答,我才能够找到答案,并将命令重写为清单
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: myapp-user-cr
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: myapp-user-crb
namespace: myapp
subjects:
- kind: ServiceAccount
name: myapp-user
namespace: myapp
roleRef:
kind: ClusterRole
name: myapp-user-cr
apiGroup: rbac.authorization.k8s.io
多亏了@abhishek jaisingh和@arghya sadhu的回答,我才能够找到答案,并将命令重写为清单
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: myapp-user-cr
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: myapp-user-crb
namespace: myapp
subjects:
- kind: ServiceAccount
name: myapp-user
namespace: myapp
roleRef:
kind: ClusterRole
name: myapp-user-cr
apiGroup: rbac.authorization.k8s.io
如何将clusterrolebinding附加到特定命名空间,请参阅文档了解clusterrolebinding如何将clusterrolebinding附加到特定命名空间,请参阅文档了解clusterrolebinding