[英]Kubernetes RBAC apiGroup field in RoleBinding and ClusterRoleBinding
Why we need to write the apiGroup key in this definition again and again , if it is the same every time: 为什么我们需要一次又一次地在这个定义中编写apiGroup密钥,如果它每次都是相同的:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: web-rw-deployment
namespace: some-web-app-ns
subjects:
- kind: User
name: "joesmith@example.com"
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: "webdevs"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: web-rw-deployment
apiGroup: rbac.authorization.k8s.io
apiGroup: rbac.authorization.k8s.io
apiGroup: rbac.authorization.k8s.io
this makes the yaml too redundant , is there any way to work around this. 这使得yaml过于冗余,有没有办法解决这个问题。 can we just skip this key?
我们可以跳过这个键吗? OR can we declare this somewhere globally.
或者我们可以在全球范围内宣布这个。
Good question. 好问题。 The rationale that I can think of is that there may be different APIs in the future that could be supported, for example,
rbacv2.authorization.k8s.io
and you wouldn't like to restrict references and subjects to just one for compatibility reasons. 我能想到的基本原理是,将来可能会支持不同的API,例如
rbacv2.authorization.k8s.io
,出于兼容性原因,您不希望将引用和主题限制为仅一个。
My take on this is that it would be nice to have yet another optional global field for RoleBinding
besides 'subjects' called something like 'bindingApigroup'. 我对此的看法是,除了名为'bindingApigroup'之类的'
RoleBinding
'之外,还有另一个可选的RoleBinding
全局字段。 Feel free to open an issue : kind/feature, sig/auth and/or sig/api-machinery. 随意打开一个问题 :kind / feature,sig / auth和/或sig / api-machinery。
Also, there might be more rationale/details in the sig-auth design proposals. 此外, sig-auth设计方案中可能还有更多的基本原理/细节。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.