0
我想的權限限制爲以下服務帳戶,創建它,如下所示:RBAC - 一個服務限制訪問帳戶
kubectl create serviceaccount alice --namespace default
secret=$(kubectl get sa alice -o json | jq -r .secrets[].name)
kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt
user_token=$(kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -d)
c=`kubectl config current-context`
name=`kubectl config get-contexts $c | awk '{print $3}' | tail -n 1`
endpoint=`kubectl config view -o jsonpath="{.clusters[?(@.name == \"$name\")].cluster.server}"`
kubectl config set-cluster cluster-staging \
--embed-certs=true \
--server=$endpoint \
--certificate-authority=./ca.crt
kubectl config set-credentials alice-staging --token=$user_token
kubectl config set-context alice-staging \
--cluster=cluster-staging \
--user=alice-staging \
--namespace=default
kubectl config get-contexts
#kubectl config use-context alice-staging
這有權限查看應有盡有: kubectl --context=alice-staging get pods --all-namespaces
我t RY與以下限制,但仍然有所有的權限:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: no-access
rules:
- apiGroups: [""]
resources: [""]
verbs: [""]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: no-access-role
subjects:
- kind: ServiceAccount
name: alice
namespace: default
roleRef:
kind: ClusterRole
name: no-access
apiGroup: rbac.authorization.k8s.io
這樣做是爲了限制進入一個命名空間來分發,爲用戶的令牌,但我不明白這一點...我認爲這可能是繼承權限,但我無法禁用單個serviceacount。
使用:GKE,集裝箱-VM
THX!
它使用Webhook:ps -aux | grep -o「authorization-mode = [a-zA-Z] *」>>> authorization-mode = Webhook ---我必須弄清楚如何爲GKE做這個改變 – jbelenus
最後使用:'gcloud container cluster update NAME -CLUSTER --no-enable-legacy-authorization --zone = YOUR-ZONE'來源:https://cloud.google.com/container-engine/docs/role-based-access-control – jbelenus