可以在GKE上使用Google Cloud IAM设置命名空间级别的权限吗?
[英]Can Namespace level permissions be set with Google Cloud IAM on GKE?
2 个解决方案
解决方案1
1 已采纳 2018-10-17 13:23:01
Not at the moment, no. 
目前不行。 IAM is used to assign and verify permissions when interacting with GCP APIs. 与GCP API进行交互时,IAM用于分配和验证权限。 IAM can only provide access to the GKE API, which does not take into account namespaces. IAM只能提供对GKE API的访问,而不会考虑名称空间。
As you mentioned, RBAC is your option for more granular permissions within the cluster 如您所述,RBAC是您在集群内获得更细化权限的选项
解决方案2
1 2018-10-18 03:14:17
If I got your point correctly that: 如果我正确地理解了您的意思:
The IAM roles for a GKE kubernetes cluster are very simple, "Admin, Read/Write, Read". GKE kubernetes集群的IAM角色非常简单,即“管理员,读/写,读”。 But you need more fine-grained control over the kubernetes cluster. 但是您需要对kubernetes集群进行更细粒度的控制。
In this case: 在这种情况下:
There's a new "Alpha" feature in Google Cloud's IAM which wasn't available previously. Google Cloud的IAM中有一个新的“ Alpha”功能,该功能以前是不可用的。
Under IAM > Roles 在IAM下>角色
You can now create custom IAM roles with your own subset of permissions. 现在,您可以使用自己的权限子集来创建自定义IAM角色。
You can create a minimal role which allows for example gcloud container clusters get-credentials to work, but nothing else, allowing permissions within the kubernetes cluster to be fully managed by RBAC. 您可以创建一个最小角色,例如,它可以使gcloud container clusters get-credentials正常工作,而不能让RBAC完全管理kubernetes集群中的权限。
It will allow you to get more fine-grained access configurations for kubernetes cluster. 它将使您获得kubernetes集群的更多细粒度访问配置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.