我只想使用kubectl远程访问一个吊舱,因此请遵循here中提到的说明。
为此,我在kubernetes中创建了一个access.yml
文件:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: devops-user
namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: devops-user-limited-access
namespace: default
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: devops-user-view
namespace: default
subjects:
- kind: ServiceAccount
name: devops-user
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: devops-user-limited-access
在远程笔记本电脑中,我在~/.kube/config
中创建了一个文件,如下所示:
apiVersion: v1
kind: Config
preferences: {}
# Define the cluster
clusters:
- cluster:
certificate-authority-data: <my-ca.crt>
# You'll need the API endpoint of your Cluster here:
server: https://<server-ip>:6443
name: kubernetes
# Define the user
users:
- name: devops-user
user:
as-user-extra: {}
client-key-data: <my-ca.crt>
token: <token-created-by-k8s>
# Define the context: linking a user to a cluster
contexts:
- context:
cluster: kubernetes
namespace: default
user: devops-user
name: default
# Define current context
current-context: default
现在我可以“完全访问”“所有豆荚”,但这不是我想要的。我只想拥有:
我只希望对“一个容器”进行“完全访问”。
答案 0 :(得分:1)
只需将此添加到您的角色文件中
http://192.168.1.27/api/v4/projects/3/repository/tree?recursive=true
所以您的角色yaml文件应该是这样的
resourceNames: ["POD_NAME"]
答案 1 :(得分:0)