k8s rbac

rbac基于角色的权限控制
针对namespace粒度,user-rolebinding-role或者user-group-rolebinding-role;针对cluster粒度,user-clusterrolebinding-clusterrole或者user-group-clusterrolebinding-clusterrole。

# 放通test namespace所有权限
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-client
  namespace: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-client
  namespace: test
rules:
- apiGroups:
 - "*"
 resources:
 - "*"
 verbs:
 - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test-client
  namespace: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: test-client
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: test-client
  namespace: test

role的apiGroups、resources、verbs可通过kubectl api-resources -owide查询得到。

posted on 2024-10-25 08:52  王景迁  阅读(6)  评论(0编辑  收藏  举报

导航