限制用户只能访问名称空间中的一项服务

时间:2019-04-30 09:18:04

标签: service kubernetes roles rbac

我一直在尝试一种场景,其中用户应该能够在名称空间中的服务上执行所有操作,但在一个服务上他只能执行读取操作。

下面是群集角色,我正在使用该角色为群集级别的所有用户提供服务访问权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-clusterRole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods/exec
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - replicationcontrollers
  - services
  verbs:
  - get
  - list
  - watch
  - create
  - delete
  - update
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  - serviceaccounts
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  - namespaces
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  - secrets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - replicasets
  - deployments
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete

我已经为上述ClusterRole创建了关联的RoleBinding。

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-roleBinding
  namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: pradeep
- kind: ServiceAccount
  name: default
  namespace: test-namespace
roleRef:
  kind: ClusterRole
  name: test-clusterRole
  apiGroup: rbac.authorization.k8s.io

现在,我正在尝试为名称空间“ test-namespace”创建一个Role和RoleBinding,以限制用户“ pradeep”读取特定服务“ test-service”的访问权限,如下所示

角色:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
    name: test-role
    namespace: test-namespace
rules:
  - apiGroups: [""]
    resources: ["services"]
    resourceNames : ["test-service"]
    verbs: ["get","list","watch"]

角色绑定:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test-roleBinding1
  namespace: test-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: pradeep
- kind: ServiceAccount
  name: default
  namespace: test-namespace
roleRef:
  kind: Role
  name: test-role
  apiGroup: rbac.authorization.k8s.io

但是,由于某种原因,用户“ pradeep”仍然可以删除指定的服务“ test-service”。 是否test-clusterRole权限覆盖了test-role权限?如果是这样,如何解决此问题。

如果没有,请提出一种解决方案。

1 个答案:

答案 0 :(得分:2)

ClusterRole和Role权限是可加的。将ClusterRole权限作为任何名称空间的基本权限,并将特定名称空间的Role权限添加到其中。

如果用户只能访问一个名称空间,则不能将他分配给ClusterRole。

相关问题
最新问题