Question

我正在尝试使用相同的令牌在Kubernetes中创建一个服务帐户，并仅允许他们访问三个名称空间。在Kubernetes中有可能吗？

我做了什么：

我创建我的服务帐户：

kubectl create serviceaccount myuser

我创建一个角色：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: myrole
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch

我创建一个ClusterRoleBinding

kind: ClusterRoleBinding
metadata:
  labels:
  name: myRoleBinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: myrole
subjects:
- kind: ServiceAccount
  name: myuser
  namespace: wordpress
- kind: ServiceAccount
  name: myuser
  namespace: mysql
- kind: ServiceAccount
  name: myuser
  namespace: redis

我试图在名称空间wordpress中获取秘密，但是得到了：

Error from server (Forbidden): pods is forbidden: User
"system:serviceaccount:default:myuser" cannot list resource "secrets" in API group
 "" in the namespace "wordpress"

希望有人可以在这里提供帮助。

Answer 1

您要将该集群角色绑定到所有三个名称空间中的服务帐户。为此，请在每个命名空间中创建一个命名空间角色绑定。

即

set(CMAKE_ANDROID_STL_TYPE none)

Answer 2

尝试将其放入您的簇中

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: myrole
rules:
- apiGroups:
  - "*"
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch

为一个以上的命名空间创建服务帐户

2 个答案: