如何为Kubernetes创建受限访问令牌

时间:2019-08-23 09:00:56

标签: authentication kubernetes

我想要一个令牌,该令牌可用于对我的k8s集群具有有限访问权限的一段代码中,并且只能读取有状态集的副本,并且如果需要扩展它们,我不希望使用该令牌的人该代码能够启动新的东西或删除正在运行的东西。 这可能吗?如果可以,我该怎么办?

1 个答案:

答案 0 :(得分:1)

您需要RBAC(基于角色的访问控制)才能完成此作业。

示例pod读者角色:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

将此角色绑定给用户:

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: jane # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

根据您的要求更改apiGroupverbs