[英]Granting a Kubernetes Service Account permissions for Secrets?
I have a Service Account which I'd like to grant permissions to read/write/update/delete Secrets within a specific namespace. 我有一个服务帐户,我想授予读/写/更新/删除特定命名空间内的秘密的权限。 I'm not clear about how exactly Service Accounts, Roles, Bindings, etc. work together to grant the right permissions.
我不清楚服务帐户,角色,绑定等如何协同工作以授予正确的权限。
What kubectl
invocations or YAML do I need to do to grant these permissions to the service account? 我需要做什么
kubectl
调用或YAML才能将这些权限授予服务帐户?
Here's the YAML for the Service Account I have so far: 这是我到目前为止的服务帐户的YAML:
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-10-09T17:45:20Z
name: testaccount
namespace: test
resourceVersion: "369702913"
selfLink: /api/v1/namespaces/test/serviceaccounts/testaccount
uid: f742ed5c-c1b3-11e8-8a69-0ade4132ab56
secrets:
- name: testaccount-token-brjxq
You need to create Role and Role binding. 您需要创建角色和角色绑定。
Create a role: 创建角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: test
name: role-test-account
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Create a role binding: 创建角色绑定:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-test-account-binding
namespace: test
subjects:
- kind: ServiceAccount
name: test-account
namespace: test
roleRef:
kind: Role
name: role-test-account
apiGroup: rbac.authorization.k8s.io
You can read more about using RBAC Authorization 您可以阅读有关使用RBAC授权的更多信息
So you have your SA testaccount
. 所以你有SA
testaccount
。 Let's assume your app (the one that manipulates the secrets) has a container image myorg/myapp:01
. 让我们假设你的应用程序(操纵秘密的应用程序)有一个容器图像
myorg/myapp:01
。 You'd launch it then as follows: 然后按如下方式启动它:
$ kubectl -n test run myapp \
--image=myorg/myapp:01 \
--serviceaccount=testaccount
But what about the permissions? 但是权限怎么样? Well, doesn't really matter if you do this before or after the app has launched, but at some point in time, do:
好吧,如果你在应用程序启动之前或之后执行此操作并不重要,但在某个时间点,请执行以下操作:
$ kubectl create clusterrole secretmanipulator \
--verb=get --verb=list --verb=watch \
--verb=create --verb=update --verb=patch --verb=delete \
--resource=secrets
$ kubectl -n test create rolebinding allowsecretmanipulation \
--clusterrole=secretmanipulator \
--serviceaccount=test:testaccount
Note that I created a cluster role above and used a role binding then to attach it to your SA. 请注意,我在上面创建了一个集群角色,然后使用角色绑定将其附加到您的SA。 Why?
为什么? It's more reusable like that.
它更像是可以重复使用的。 Of course a simple role would also work here but then you'd need to re-create it for every namespace.
当然,一个简单的角色也可以在这里工作,但是你需要为每个命名空间重新创建它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.