所有人。
我想知道是否有一个选项可以授权用户通过本地组访问kubernetes对象?
像目前我正在这样做:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: example-rolebinding
namespace: mynamespace
subjects:
- kind: User
name: example-user1 # member of local unix group "authorized"
apiGroup: rbac.authorization.k8s.io
- kind: User
name: example-user2 # member of local unix group "authorized"
apiGroup: rbac.authorization.k8s.io
- kind: User
name: example-user3 # member of local unix group "authorized"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: example-role
apiGroup: rbac.authorization.k8s.io
而且我正在尝试通过这种方式:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: example-rolebinding
namespace: mynamespace
subjects:
- kind: Group
name: authorized
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: example-role
apiGroup: rbac.authorization.k8s.io
有什么选择吗?还是我对K8S的需求太多了,需要自己开发一些东西?
谢谢
组是身份验证层和rbac系统之间的一种不透明构造。无论您使用哪个authn插件,都可以使用用户名和任意数量的组标记请求,然后rbac将使用它们。但是k8s本身并不知道用户或群组的真实身份。因此,tldr取决于您的身份验证配置和插件。