大家好, 我想限制我的开发人员只能在kubernetes仪表板上看到必需的资源(例如,仅查看其名称空间而不是所有名称空间)。有可能做到这一点。如果是,有人可以指出我正确的文件吗?非常感谢
我正在将以下RBAC用于kube-system名称空间。但是,用户可以看到仪表板上的所有名称空间,而不仅仅是看到他有权访问的名称空间。
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kube-system
name: dashboard-reader-role
rules:
- apiGroups: [""]
resources: ["service/proxy"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dashboard-reader-ad-group-rolebinding
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dashboard-reader-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: "****************"
答案 0 :(得分:1)
请参阅k8s rbac文档:
示例: 在开发名称空间中创建开发者角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: development
name: developer
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["list", "get", "watch"]
# You can use ["*"] for all verbs
然后将其绑定:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: developer-role-binding
namespace: development
subjects:
- kind: User
name: DevDan
apiGroup: ""
roleRef:
kind: Role
name: developer
apiGroup: ""
另外,您还可以将内置角色绑定到用户:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
C02W84XMHTD5:~ iahmad$ kubectl get clusterroles --all-namespaces | grep view
system:aggregate-to-view 17d
view 17d
但这是集群范围的视图角色,如果您希望他们仅看到特定命名空间中的内容,则在该命名空间中创建一个视图角色并将其绑定(如上图所示)。