如何授予所有Kubernetes服务帐户访问特定命名空间的权限?

问题描述 投票:1回答:1

我在GCP中具有启用RBAC的Kubernetes集群

一个命名空间用于耕种机用于服务的多个

现在,我可以为特定服务帐户指定读者角色,因为它是全名

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: tiller-reader
  namespace: tiller
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - "get"
    - "watch"
    - "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tiller-reader-role-binding
  namespace: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tiller-reader
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: system:serviceaccount:my-namespace-1:my-namespace-1-service-account

Service命名空间和帐户是动态创建的。我如何自动赋予所有服务帐户访问到蒂勒名称空间,例如:获取吊舱?

kubernetes kubernetes-helm rbac
1个回答
1
投票
要向所有服务帐户授予角色,您必须使用Group system:serviceaccounts。

您可以尝试以下配置:

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" name: tiller-reader namespace: tiller rules: - apiGroups: [""] resources: ["pods"] verbs: - "get" - "watch" - "list" --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tiller-reader-role-binding namespace: tiller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: tiller-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.