我正在设置一个kubernetes容器来管理某些容器的单个命名空间。这样我就创建了带有服务帐户的广告连播。服务帐户yaml如下所示:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-test-1
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: sa-test-1
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]a
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: sa-test-1
namespace: qa-namespaces
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sa-test-1
subjects:
- kind: ServiceAccount
name: sa-test-1
为测试服务帐户或角色绑定,如我所见,将kubectl安装到我的pod上,我的pod可以访问整个群集(甚至是默认名称空间)的pod。
作为总结, 我的广告连播只能在特定的名称空间中访问。请帮忙!
答案 0 :(得分:1)
据我所知,您的yaml文件在几个地方坏了。
如@rfum所述,您需要在Role中指定名称空间,并且resources: ["pods/exec"]的末尾似乎还有多余的字符,因此您的Role应该看起来像这样:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: qa-namespaces
name: sa-test-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
您可以使用以下命令创建ServiceAccount:
kubectl create serviceaccount sa-test-serviceaccount --namespace qa-namespaces
您的RoleBinding也有些偏离,应该看起来像这样:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sa-test-rolebinding
namespace: qa-namespaces
subjects:
- kind: ServiceAccount
name: sa-test-serviceaccount
namespace: qa-namespaces
roleRef:
kind: Role
name: sa-test-role
apiGroup: rbac.authorization.k8s.io
我还建议您阅读Configuring permissions in Kubernetes with RBAC和Using RBAC Authorization。