在实施RBAC时,即使在应用roleBinding之后,默认用户仍保留访问权限
[英]Implementing RBAC, the default user still retains access even after applying roleBinding
问题描述
I want to implement RBAC for each user. 
我想为每个用户实施RBAC。 Already have OIDC running and I can see my user credentials being saved in kube config. OIDC已在运行,我可以看到我的用户凭据已保存在kube config中。 But to check my rolebindings, i have to run the command as kubectl get pods --as=user@email.com , even though I am logged in as user@email.com (through gcloud init). 但是要检查我的角色kubectl get pods --as=user@email.com ,即使我以user@email.com身份登录(通过gcloud init),我也必须以kubectl get pods --as=user@email.com身份运行命令。 I am an owner account in our cloud but I was assuming the RBAC limitations should still work. 我是我们云中的所有者帐户,但我假设RBAC限制仍然可以使用。
2 个解决方案
解决方案1
1 2018-06-13 09:16:26
Apart from credentials, you should configure a kubectl context to associate this credentials with the cluster. 除了凭据之外,您还应该配置kubectl上下文以将此凭据与集群关联。 And to set it as the default context: 并将其设置为默认上下文:
First, list kubectl clusters with k config get-clusters 首先,使用k config get-clusters列出kubectl k config get-clusters
Then create a new context: 然后创建一个新的上下文:
kubectl config set-context my-new-context --cluster <CLUSTER NAME> --user="user@email.com"
And finally configure the new context as default: 最后将新上下文配置为默认:
kubectl config use-context my-new-context
解决方案2
0 2018-06-13 14:21:55
I am an owner account in our cloud but I was assuming the RBAC limitations should still work.
RBAC is additive only. RBAC仅是添加剂。 If you have permissions via another configured authorizer, you will still have those permissions even if you have lesser permissions via RBAC. 如果您具有通过其他已配置的授权者的权限,即使您通过RBAC拥有的权限较小,您仍将拥有这些权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.