我有一个服务帐户,我想授予在特定 namespace 中读取/写入/更新/删除 secret 的权限。我不清楚服务帐户,角色,绑定(bind)等如何完全配合以授予正确的权限。
我需要执行哪些kubectl调用或YAML才能将这些权限授予服务帐户?
这是我到目前为止拥有的服务帐户的YAML:
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-10-09T17:45:20Z
name: testaccount
namespace: test
resourceVersion: "369702913"
selfLink: /api/v1/namespaces/test/serviceaccounts/testaccount
uid: f742ed5c-c1b3-11e8-8a69-0ade4132ab56
secrets:
- name: testaccount-token-brjxq
最佳答案
您需要创建角色和角色绑定(bind)。
创建一个角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: test
name: role-test-account
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
创建角色绑定(bind):
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-test-account-binding
namespace: test
subjects:
- kind: ServiceAccount
name: test-account
namespace: test
roleRef:
kind: Role
name: role-test-account
apiGroup: rbac.authorization.k8s.io
您可以阅读有关using RBAC Authorization的更多信息
关于kubernetes - 授予Kubernetes服务帐户权限的 secret ?,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/52744289/