默认服务帐户具有哪些默认权限?
[英]What default permissions does default service account have?
问题描述
Let's say I set up a fresh Kubernetes cluster. 
假设我建立了一个新的Kubernetes集群。 I assume the both kube-system and default namespaces will get a service account named default ? 我假设kube-system和default命名空间都将获得一个名为default的服务帐户。 Which permissions does that service account have? 该服务帐户具有哪些权限? Full read/write permissions? 完整的读/写权限?
I'm essentially asking this to understand best practises to give a custom Go controller write access to resources. 我本质上是在要求其了解最佳实践,以使自定义Go控制器可以对资源进行写访问。
1 个解决方案
解决方案1
4 2016-11-24 05:30:21
Service accounts have no inherent permissions. 服务帐户没有固有权限。 The permissions they have depend entirely on the authorization mode configured ( --authorization-mode flag passed to the apiserver) 他们拥有的权限完全取决于配置的授权模式(--authorization --authorization-mode标志传递给apiserver)
Defining RBAC roles is a good method for specifying the permissions required for a controller. 定义RBAC角色是指定控制器所需权限的好方法。
There are existing role definitions for in-tree controllers at https://github.com/kubernetes/kubernetes/tree/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy 在https://github.com/kubernetes/kubernetes/tree/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy中有树内控制器的现有角色定义
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.