[英]Kubernetes RBAC cluster-admin without secret reading permission
Is it possible to create a Kubernetes cluster admin without the ability to read namespace secrets?是否可以在无法读取命名空间机密的情况下创建 Kubernetes 集群管理员?
I know you can create a ClusterRole and list every single resource and omit secret but seems unintuitive.我知道您可以创建一个 ClusterRole 并列出每个资源并省略秘密,但似乎不直观。
Can you use Aggregated ClusterRoles to remove a permission?您可以使用 Aggregated ClusterRoles 删除权限吗? so using ClusterRole cluster-admin and have a role that uses:所以使用 ClusterRole cluster-admin 并有一个使用的角色:
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: [""]
Not really Aggregated Cluster Roles
is a set union of several ClusterRole
s.不是真正Aggregated Cluster Roles
是几个ClusterRole
的集合。 To get the behavior you want you would need a set subtraction of cluster-admin role minus the rules that you have defined.要获得您想要的行为,您需要减去集群管理员角色减去您定义的规则。 It's not supported in K8s as of this writing .在撰写本文时,K8s 不支持它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.