我曾尝试创建一个仅具有查看Pod权限的群集角色,但是由于某种原因,该帐户仍然可以看到所有内容。机密,部署,节点等。我还启用了跳过登录,默认情况下,匿名用户似乎也没有任何限制。
服务帐户:
git diff集群角色
-R集群角色绑定:
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-example
namespace: default
上下文:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cr-example
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
答案 0 :(得分:1)
您如何检查它是否有效?
我用以下Yamls复制了您的问题
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-example
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cr-example
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crb-example
roleRef:
apiGroup: rbac.authorization.k8s.io
name: cr-example
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: sa-example
namespace: default
然后我用kubectl auth can-i验证它是否有效
kubectl auth can-i get pods --as=system:serviceaccount:default:sa-example
yes
kubectl auth can-i get deployment --as=system:serviceaccount:default:sa-example
no
kubectl auth can-i get secrets --as=system:serviceaccount:default:sa-example
no
kubectl auth can-i get nodes --as=system:serviceaccount:default:sa-example
no
似乎一切正常
如果我的Yaml与众不同,唯一的是
kind: ClusterRole
metadata:
name: cr-example instead of cr-<role>
因此它实际上与ClusterRoleBinding相匹配
希望它能帮助您解决问题。让我知道您是否还有其他问题。