问题描述
我正在尝试在 Kubernetes 仪表板上创建一个只读用户,该用户只能为特定命名空间中的特定部署更新和设置规模, 我成功地为所有资源创建了一个只读用户。但是,很难允许访问特定资源。
这是我的具有特定角色的 ClusterRole,该角色只允许更新两个部署 dummy-deployemnt1,dummy-deployemnt1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dummy-deployemnt-user-admin
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- nodes
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
- volumeattachments
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- roles
- rolebindings
verbs:
- get
- list
- watch
- apiGroups:
- app
resources:
- deployments
- deployments/scale
resourceNames:
- dummy-deployemnt1
- dummy-deployemnt1
verbs:
- get
- list
- watch
- update
注意,部署位于特定的命名空间中,比方说 (dummy-namespace)
ServiceAccount 和 ClusterRoleBinding 看起来像
apiVersion: v1
kind: ServiceAccount
metadata:
name: eks-dummy-deployemnt-user-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: eks-dummy-deployemnt-user-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dummy-deployemnt-user-admin
subjects:
- kind: ServiceAccount
name: eks-dummy-deployemnt-user-admin
namespace: kube-system
我面临的问题是仍然不允许用户更新这两个部署。 我想知道是否支持此设置,如果支持,我缺少什么。
提前感谢任何想法来整理它。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)