我试图限制ServiceAccount
的RBAC权限来管理所有名称空间中的机密:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-secrets-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- gitlab-registry
verbs:
- get
- list
- create
- update
到目前为止,我已经创建了ServiceAccount和相关的CRB,但是操作失败:
secrets "gitlab-registry" is forbidden: User "system:serviceaccount:gitlab:default" cannot get resource "secrets" in API group "" in the namespace "shamil"
任何人都知道我在想什么吗?
ClusterRole
:apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-secrets-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- gitlab-registry
verbs:
- get
- list
- create
- update
ClusterRoleBinding
以在集群级别授予权限。apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-secrets-manager-clusterrolebinding
subjects:
- kind: ServiceAccount
name: <service account name>
namespace: <service account namespace>
roleRef:
kind: ClusterRole
name: gitlab-secrets-manager
apiGroup: rbac.authorization.k8s.io