我正在学习rbac来进行访问控制,这是我的角色定义:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: foobar-role
labels:
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "patch"]
该角色允许主体访问秘密,但我想知道是否可以将访问限制为特定路径:
apiVersion: v1
data:
keycloak.clientSecret: ...
keycloak.url: ...
user.password: ...
kind: Secret
metadata:
creationTimestamp: "2019-04-21T08:07:21Z"
labels:
app: foobar-ce
heritage: Tiller
release: foobar
name: foobar-secret
namespace: default
resourceVersion: "12348"
selfLink: /api/v1/namespaces/default/secrets/foobar-secret
uid: 7d8775d9-640c-11e9-8327-0242b821d21a
type: Opaque
例如,是否可以更改仅能执行的角色
{.data.keycloak\.url}
(只读){.data.keycloak\.clientSecret}
(仅写)答案 0 :(得分:1)
您可以限制为单个资源(策略中的resourceNames
),但不能超出此限制。我不认为该API甚至不支持部分访问。