我有一组users(dev-team)
,只需要访问dev
和qa
命名空间。我创建了一个服务帐户,集群角色和集群角色绑定,如下所示。
服务帐户
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-team
集群角色
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: dev-team-users
rules:
- apiGroups: ["rbac.authorization.k8s.io",""]
resources: ["namespaces"]
resourceNames: ["dev","qa"]
verbs: ["get","list","create"]
集群角色绑定
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dev-team-user-bindings
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dev-team-users
subjects:
- kind: User
name: dev-team
namespace: kube-system
apiGroup: rbac.authorization.k8s.io
[当我尝试验证访问权限时kubectl get namespaces --as=dev-team
我收到以下错误消息
Error from server (Forbidden): namespaces is forbidden: User "dev-team" cannot list resource "namespaces" in API group "" at the cluster scope
我希望只显示dev
和qa
名称空间。我在这里想念什么吗?
list操作失败,因为您正在使用ClusterRole中的resourceNames
字段来限制名称空间对象也授予访问权限,但是list将返回all命名空间对象。
但是我想您真正想要的是限制对资源[[in的访问,而不是名称空间对象本身(其包含的信息不多于名称空间的名称)。] >要实现这一点,您必须在要授予用户访问权限的名称空间中创建Roles(或ClusterRole)和RoleBindings。
这里是如何允许dev-team
和dev
名称空间中的qa
用户进行
all
操作,但拒绝任何其他名称空间中的任何操作。创建ClusterRole(您也可以在dev
和qa
命名空间中创建角色,但是使用ClusterRole允许您仅定义一次权限,然后从多个RoleBindings中引用它:apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dev-team-users
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
同时在dev
和qa
名称空间中创建RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: dev-team-user-bindings
namespace: dev
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dev-team-users
subjects:
- kind: User
name: dev-team
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: dev-team-user-bindings
namespace: qa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dev-team-users
subjects:
- kind: User
name: dev-team
apiGroup: rbac.authorization.k8s.io
测试访问:
kubectl get pods -n qa --as=dev-team # Succeeds
kubectl get pods -n dev --as=dev-team # Succeeds
kubectl get pods -n default --as=dev-team # Fails
kubectl get pods -n kube-system --as=dev-team # Fails