k8s容器用户对命名空间等细颗粒度权限控制的处理

我们在通过jenkins或者其他cicd工具进行集群部署时需要对一些角色的权限进行管控,避免权限过大带来安全隐患

ram 绑定 集群的 rbac 权限

 

k8s容器化后的用户细颗粒度授权的处理


1.创建权限控制用户


 

权限详情

jenkins-deploy-role

复制代码
{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/a机房集群id",
                "acs:cs:*:*:cluster/a机房集群id",
                "acs:cs:*:*:cluster/a机房集群id",
                "acs:cs:*:*:cluster/b机房集群id",
                "acs:cs:*:*:cluster/b机房集群id",
                "acs:cs:*:*:cluster/b机房集群id",
                "acs:cs:*:*:cluster/c机房集群id",
                "acs:cs:*:*:cluster/c机房集群id",
                "acs:cs:*:*:cluster/c机房集群id"
            ]
        }
    ],
    "Version": "1"
}
复制代码

2.在k8s控制台对该用户进行详细授权

 

可以管理命名空间级别的权限,绑定对应的ClusterRole


 

集群中的角色 ClusterRole

jenkins-deploy-clusterrole

复制代码
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"jenkins-deploy-clusterrole"},"rules":[{"apiGroups":[""],"resources":["pods","services","configmaps"],"verbs":["create","get","list","update","watch","patch"]},{"apiGroups":["apps"],"resources":["deployments","deployments/scale","replicasets","replicasets/scale","daemonsets","statefulsets"],"verbs":["create","get","list","update","watch","patch"]},{"apiGroups":["batch"],"resources":["cronjobs","jobs"],"verbs":["create","get","list","update","watch"]},{"apiGroups":["extensions"],"resources":["ingresses"],"verbs":["create","get","list","update","watch"]}]}
  managedFields:
    - apiVersion: rbac.authorization.k8s.io/v1
      manager: kubectl-client-side-apply
      operation: Update
      time: '2021-12-27T05:45:33Z'
  name: jenkins-deploy-clusterrole
rules:
  - apiGroups:
      - ''
    resources:
      - pods
      - services
      - configmaps
    verbs:
      - create
      - get
      - list
      - update
      - watch
      - patch
  - apiGroups:
      - apps
    resources:
      - deployments
      - deployments/scale
      - replicasets
      - replicasets/scale
      - daemonsets
      - statefulsets
    verbs:
      - create
      - get
      - list
      - update
      - watch
      - patch
  - apiGroups:
      - batch
    resources:
      - cronjobs
      - jobs
    verbs:
      - create
      - get
      - list
      - update
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - create
      - get
      - list
      - update
      - watch
复制代码

 



posted @   reblue520  阅读(286)  评论(0编辑  收藏  举报
(评论功能已被禁用)
相关博文:
阅读排行:
· DeepSeek “源神”启动!「GitHub 热点速览」
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· 我与微信审核的“相爱相杀”看个人小程序副业
· C# 集成 DeepSeek 模型实现 AI 私有化(本地部署与 API 调用教程)
· DeepSeek R1 简明指南:架构、训练、本地部署及硬件要求
点击右上角即可分享
微信分享提示