我有以下内容:
apiVersion: v1
kind: ServiceAccount
metadata:
name: SomeServiceAccount
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: SomeClusterRole
rules:
- apiGroups:
- "myapi.com"
resources:
- 'myapi-resources'
verbs:
- '*'
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: SomeClusterRoleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: SomeClusterRole
subjects:
- kind: ServiceAccount
name: SomeServiceAccount
但是它抛出:The ClusterRoleBinding "SomeClusterRoleBinding" is invalid: subjects[0].namespace: Required value
我认为"Cluster"RoleBinding
的全部要点是,它不仅限于单个名称空间。任何人都可以解释吗?
Kubernetes版本1.13.12
Kubectl版本v1.16.2
谢谢。
例如,在主题的名称空间上,here表示:If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
ClusterRoleBinding的群集范围方面在任何情况下都不适用于绑定的主题。在您的示例中,您无法在所有名称空间中为具有特定名称的所有服务帐户创建绑定。