限制ServiceAccount /角色来管理所有群集中的机密

问题描述 投票:0回答:1

我试图限制ServiceAccount的RBAC权限来管理所有名称空间中的机密:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gitlab-secrets-manager
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  resourceNames:
  - gitlab-registry
  verbs:
  - get
  - list
  - create
  - update

到目前为止,我已经创建了ServiceAccount和相关的CRB,但是操作失败:

secrets "gitlab-registry" is forbidden: User "system:serviceaccount:gitlab:default" cannot get resource "secrets" in API group "" in the namespace "shamil"

任何人都知道我在想什么吗?

kubernetes rbac
1个回答
0
投票
您可以执行以下步骤:

    首先,您需要确保您的服务帐户在群集中存在。
  • 然后您将按照给出的内容创建一个ClusterRole
  • apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gitlab-secrets-manager rules: - apiGroups: - "" resources: - secrets resourceNames: - gitlab-registry verbs: - get - list - create - update 
      然后,您还将创建ClusterRoleBinding以在集群级别授予权限。
  • apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gitlab-secrets-manager-clusterrolebinding
subjects:
  - kind: ServiceAccount
    name: <service account name>
    namespace: <service account namespace>
roleRef:
  kind: ClusterRole
  name: gitlab-secrets-manager
  apiGroup: rbac.authorization.k8s.io

    • 
      
    
      
    
    
  
    
  
    
    
    最新问题
    

  
    

    

    
  
    
    © www.soinside.com 2019 - 2024. All rights reserved.