我正在尝试授予一组用户在 kubernetes 1.20 中扩展一组特定部署的权限
我尝试在这里使用API参考文档:https://kubernetes.io/docs/reference/ generated/kubernetes-api/v1.20/#patch-scale-deployment-v1-apps 像这样设置资源名称:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
resources:
- /namespaces/my-namespace-name/deployments/my-deployment-name/scale
- deployments/my-deployment-name/scale
verbs:
- update
- patch
这不起作用:
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
Error from server (Forbidden): deployments.apps "my-deployment-name" is forbidden: User "kubeoperatorrole" cannot patch resource "deployments/scale" in API group "apps" in the namespace "my-namespace-name"
我可以让缩放命令工作的唯一方法是授予所有部署的权限(这不是我想要的),如下所示:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
resources:
- deployments/scale
verbs:
- update
- patch
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
deployment.apps/my-deployment-name scaled
按名称指定特定部署资源的正确语法是什么,或者这是不可能的? 我的目标部署无法移动到隔离的命名空间。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
- apiGroups: ["apps"]
resources:
- deployments/scale
resourceNames: ["my-deployment-name"] # <-- name of your deployment here
verbs:
- update
- patch
resources
不是您要找的,而是
resourceNames
,它必须是特定的对象名称,例如 resourceNames: [my-deployment-name]
。一般来说,这不是一种很好的方法,期望您将按命名空间对事物进行分段,并在一个命名空间(或两个或三个或其他任何命名空间)中授予它们权限。