我一直在尝试尝试这样一种场景:用户应该能够在命名空间中对服务执行所有操作,除了在一个他应该只能执行读操作的服务上。
下面是我用来授予群集级别服务的所有用户访问权限的群集角色。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-clusterRole
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- replicationcontrollers
- services
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- serviceaccounts
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- namespaces
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- apps
resources:
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- replicasets
- deployments
verbs:
- get
- list
- watch
- create
- update
- delete
我已经为上面的ClusterRole创建了相关的RoleBinding。
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-roleBinding
namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: pradeep
- kind: ServiceAccount
name: default
namespace: test-namespace
roleRef:
kind: ClusterRole
name: test-clusterRole
apiGroup: rbac.authorization.k8s.io
现在,我正在尝试为命名空间“test-namespace”创建一个Role和RoleBinding,将用户“pradeep”限制为只读特定服务“test-service”的访问权限,如下所示
角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-role
namespace: test-namespace
rules:
- apiGroups: [""]
resources: ["services"]
resourceNames : ["test-service"]
verbs: ["get","list","watch"]
RoleBinding:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-roleBinding1
namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: pradeep
- kind: ServiceAccount
name: default
namespace: test-namespace
roleRef:
kind: Role
name: test-role
apiGroup: rbac.authorization.k8s.io
但是,仍然用户“pradeep”能够出于某种原因删除指定的服务“test-service”。 test-clusterRole权限是否覆盖了测试角色权限?如果是这样,如何解决此问题。
如果没有,请建议一种方法来实现这种情况。
ClusterRole和Role权限是附加的。 ClusterRole权限作为任何名称空间的基本权限,并且特定名称空间的角色权限被添加到该名称空间。
如果用户只能访问单个命名空间,则无法将其分配给ClusterRole。