基于此文档-https://docs.cloud.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengaboutaccesscontrol.htm我正在尝试为Oracle Cloud IAM组配置对Kubernetes的访问,但我只能为单个用户成功授予访问权限。
复制步骤(假设配置了隔离专区,集群,OCI CLI和kubectl):
testgroup
testuser
testuser
放入组testgroup
kubernetes_dev_access
Allow group testgroup to use clusters in compartment mycompartment
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubernetes_dev_access
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["create", "get", "update", "list", "delete", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create", "get", "update", "list", "delete", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes_dev_access_group
subjects:
- kind: Group
name: ocid1.group.oc1..aaaaaaaaabababababababababababababababababa
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: kubernetes_dev_access
apiGroup: rbac.authorization.k8s.io
这应该允许我的用户成功列出豆荚:
kubectl get pods
但是出现以下错误:
Error from server (Forbidden): pods is forbidden: User "ocid1.group.oc1..aaaaaaaaabababababababababababababababababa" cannot list resource "pods" in API group "" in the namespace "mynamespace"
关键行似乎是:
- kind: Group
name: ocid1.group.oc1..aaaaaaaaabababababababababababababababababa
apiGroup: rbac.authorization.k8s.io
如果我用以下对特定用户的引用替换这些行,它将起作用,即,我得到了pod列表:
- kind: User
name: ocid1.user.oc1..aaaaaaaaaxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxyx
apiGroup: rbac.authorization.k8s.io
感谢任何指针,谢谢。
OKE尚不支持RBAC中的群组。您必须在RBAC策略中定义单个用户。