k8s 中基于RBAC 控制pod的访问权限
role设置apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: defaultname: pod-readerrules:- apiGroups: [""] # "" 标明 core API 组resources: ["pods"]verbs: ["get", "watch", "list"]rolebindi
·
- role设置
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" 标明 core API 组
resources: ["pods"]
verbs: ["get", "watch", "list"]
- rolebinding
apiVersion: rbac.authorization.k8s.io/v1
# 此角色绑定允许 "kafka" 读取 "default" 名字空间中的 Pods
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
# 你可以指定不止一个“subject(主体)”
- kind: User
name: tom # "name" 是区分大小写的
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" 指定与某 Role 或 ClusterRole 的绑定关系
kind: Role # 此字段必须是 Role 或 ClusterRole
name: pod-reader # 此字段必须与你要绑定的 Role 或 ClusterRole 的名称匹配
apiGroup: rbac.authorization.k8s.io
- check 是否成功
sudo kubectl auth can-i delete pods --namespace=default --as tom
https://www.qikqiak.com/post/use-rbac-in-k8s/
https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/
更多推荐
已为社区贡献1条内容
所有评论(0)