我正在尝试通过利用 Kubernetes 命名空间的自动化来配置临时环境。我部署在 Kubernetes 中的自动化工作者必须能够创建命名空间。到目前为止,我对此的实验一无所获。我需要将哪个绑定附加到服务帐户以允许它控制命名空间?还是我的方法不对?
到目前为止我的代码:
deployment.yaml
:
apiVersion: apps/v1
kind: Deployment
metadata:
name: k8s-deployer
namespace: tooling
labels:
app: k8s-deployer
spec:
replicas: 1
selector:
matchLabels:
app: k8s-deployer
template:
metadata:
name: k8s-deployer
labels:
app: k8s-deployer
spec:
serviceAccountName: k8s-deployer
containers: ...
rbac.yaml
:
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-deployer
namespace: tooling
---
# this lets me view namespaces, but not write
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: administer-cluster
subjects:
- kind: ServiceAccount
name: k8s-deployer
namespace: tooling
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
答案 0 :(得分:2)
要让 Pod 控制 Kubernetes 中的某些东西,您至少需要四件事:
Role
/ClusterRole
(您选择了 administer-cluster
,我不知道哪些规则)。ServiceAccount
(您在命名空间 k8s-deployer
中创建了 tooling
)。RoleBinding
/ClusterRoleBinding
将两者放在一起。ServiceAccount
分配给 Pod。这是一个可以管理命名空间的示例:
# Create a service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-deployer
namespace: tooling
---
# Create a cluster role that allowed to perform
# ["get", "list", "create", "delete", "patch"] over ["namespaces"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k8s-deployer
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "create", "delete", "patch"]
---
# Associate the cluster role with the service account
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-deployer
# make sure NOT to mention 'namespace' here or
# the permissions will only have effect in the
# given namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8s-deployer
subjects:
- kind: ServiceAccount
name: k8s-deployer
namespace: tooling
之后,您需要像之前一样在 pod spec
中提及服务帐户名称。 documentation 中有关 RBAC 的更多信息。