限制ServiceAccount /角色以管理所有群集中的机密

时间:2019-12-17 09:12:08

标签: kubernetes rbac

我试图限制ServiceAccount的RBAC权限来管理所有命名空间中的机密:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gitlab-secrets-manager
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  resourceNames:
  - gitlab-registry
  verbs:
  - get
  - list
  - create
  - update
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-service-account
  namespace: gitlab
secrets:
- name: gitlab-service-account-token-lllll
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gitlab-service-account-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gitlab-secrets-manager
subjects:
- kind: ServiceAccount
  name: gitlab-service-account
  namespace: gitlab

到目前为止,我已经创建了ServiceAccount和相关的CRB,但是操作失败:

secrets "gitlab-registry" is forbidden: User "system:serviceaccount:gitlab:default" cannot get resource "secrets" in API group "" in the namespace "shamil"

有人知道我想念什么吗?

1 个答案:

答案 0 :(得分:2)

您可以执行以下步骤:

  • 首先,您需要确保群集中存在gitlab-service-account名称空间中名为gitlab的服务帐户。
  • 然后,您将按照给出的内容创建一个ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gitlab-secrets-manager
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - gitlab-registry
    verbs:
      - get
      - list
      - create
      - update
  • 然后,您还将创建一个ClusterRoleBinding来授予集群级别的权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gitlab-secrets-manager-clusterrolebinding
subjects:
  - kind: ServiceAccount
    name: gitlab-service-account    
    namespace: gitlab
roleRef:
  kind: ClusterRole
  name: gitlab-secrets-manager
  apiGroup: rbac.authorization.k8s.io
相关问题
最新问题