kubernetes RBAC 角色动词执行到 pod
[英]kubernetes RBAC role verbs to exec to pod
问题描述
I my 1.9 cluster created this deployment role for the dev user.
我的 1.9 集群为 dev 用户创建了这个部署角色。 Deployment works as expected.部署按预期工作。 Now I want to give exec and logs access to developer.现在我想为开发人员提供 exec 和 logs 访问权限。 What role I need to add for exec to the pod?我需要为 exec 添加什么角色到 pod?
kind: Role
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Error message:错误信息:
kubectl exec nginx -it -- sh
Error from server (Forbidden): pods "nginx" is forbidden: User "dev" cannot create pods/exec in the namespace "dev"
Thanks SR谢谢 SR
1 个解决方案
解决方案1
46 已采纳 2018-01-05 17:10:22
The RBAC docs say that RBAC 文档说
Most resources are represented by a string representation of their name, such as “pods”, just as it appears in the URL for the relevant API endpoint.
To allow a subject to read both pods and pod logs, and be able to exec into the pod, you would write:要允许一个主题同时读取 pod 和 pod 日志,并能够执行到 pod 中,您可以编写:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-and-pod-logs-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
Some client libraries may do an http GET to negotiate a websocket first, which would require the "get" verb.一些客户端库可能会先执行 http GET 来协商 websocket,这将需要“get”动词。 kubectl sends an http POST instead, that's why it requires the "create" verb in that case. kubectl 改为发送一个 http POST,这就是为什么在这种情况下它需要“创建”动词。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.