我想限制RBAC AKS / kubernetes集群名称空间下的用户仅获取机密,而不获取TLS机密。我的群集角色具有以下api权限。但是无法限制用户仅获取机密而不是TLS机密,这是行不通的。
代码:
---
#ClusterRole-NamespaceAdmin-RoleGranter
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: clusterrole-ns-admin
rules:
# "Pods" rules
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# "Nodes" rules - Node rules are effective only on cluster-role-binding
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
# "Secrets" rules
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create","update", "delete"]
# "TLS Secrets" rules
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes.io/tls"]
verbs: ["get", "watch", "list"]
提前感谢!
简短的答案是不可能的。 Kubernetes中只有Secret种资源,您可以将RBAC应用于一种。 TLS秘密没有单独的种类。