限制用户仅访问命名空间中的一个服务

问题描述 投票:0回答:1

我一直在尝试尝试这样一种场景:用户应该能够在命名空间中对服务执行所有操作,除了在一个他应该只能执行读操作的服务上。

下面是我用来授予群集级别服务的所有用户访问权限的群集角色。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-clusterRole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - replicationcontrollers
  - services
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - update
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  - serviceaccounts
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  - namespaces
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  - secrets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - replicasets
  - deployments
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete

我已经为上面的ClusterRole创建了相关的RoleBinding。

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-roleBinding
  namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: pradeep
- kind: ServiceAccount
  name: default
  namespace: test-namespace
roleRef:
  kind: ClusterRole
  name: test-clusterRole
  apiGroup: rbac.authorization.k8s.io

现在,我正在尝试为命名空间“test-namespace”创建一个Role和RoleBinding,将用户“pradeep”限制为只读特定服务“test-service”的访问权限,如下所示

角色:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
    name: test-role
    namespace: test-namespace
rules:
  - apiGroups: [""]
    resources: ["services"]
    resourceNames : ["test-service"]
    verbs: ["get","list","watch"]

RoleBinding:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-roleBinding1
  namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: pradeep
- kind: ServiceAccount
  name: default
  namespace: test-namespace
roleRef:
  kind: Role
  name: test-role
  apiGroup: rbac.authorization.k8s.io

但是,仍然用户“pradeep”能够出于某种原因删除指定的服务“test-service”。 test-clusterRole权限是否覆盖了测试角色权限?如果是这样,如何解决此问题。

如果没有,请建议一种方法来实现这种情况。

service kubernetes roles rbac
1个回答
2
投票

ClusterRole和Role权限是附加的。 ClusterRole权限作为任何名称空间的基本权限,并且特定名称空间的角色权限被添加到该名称空间。

如果用户只能访问单个命名空间,则无法将其分配给ClusterRole。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.