问题描述
我想仅对openshift中具有ADMIN角色的用户限制对机密的读写访问。如果用户是普通用户,则他可以访问除机密信息之外的所有内容(他不能透露机密信息,也不能进行编辑)。有什么办法吗? 谢谢!
解决方法
您可以尝试创建自己的角色以应用于所有非管理员角色,也可以仅编辑非管理员角色以删除对机密的访问权限。
Here扮演自己角色的指南。
例如,您的角色已经可以是:
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- secrets
- serviceaccounts
- services
verbs:
- create
- delete
- deletecollection
- get
- list
- update
- watch
,您可以删除资源下的秘密行:
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- serviceaccounts
- services
verbs:
- create
- delete
- deletecollection
- get
- list
- update
- watch
例如:
$ oc create user test
user.user.openshift.io/test created
$ oc create role test-role --verb=get --verb=list --resource=namespaces,pods,routes,services
role.rbac.authorization.k8s.io/test-role created
$ oc login -u test -p #####
Login successful.
You have one project on this server: "######"
Using project "####".
$ oc get pods
No resources found.
$ oc get secrets
No resources found.
Error from server (Forbidden): secrets is forbidden: User "test" cannot list secrets in the namespace "####": no RBAC policy matched