Kubernetes RBAC cluster-admin 无密读权限
[英]Kubernetes RBAC cluster-admin without secret reading permission
问题描述
Is it possible to create a Kubernetes cluster admin without the ability to read namespace secrets?
是否可以在无法读取命名空间机密的情况下创建 Kubernetes 集群管理员?
I know you can create a ClusterRole and list every single resource and omit secret but seems unintuitive.我知道您可以创建一个 ClusterRole 并列出每个资源并省略秘密,但似乎不直观。
Can you use Aggregated ClusterRoles to remove a permission?您可以使用 Aggregated ClusterRoles 删除权限吗? so using ClusterRole cluster-admin and have a role that uses:所以使用 ClusterRole cluster-admin 并有一个使用的角色:
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: [""]
1 个解决方案
解决方案1
1 已采纳 2018-10-29 21:09:30
Not really Aggregated Cluster Roles is a set union of several ClusterRole s.不是真正Aggregated Cluster Roles是几个ClusterRole的集合。 To get the behavior you want you would need a set subtraction of cluster-admin role minus the rules that you have defined.要获得您想要的行为,您需要减去集群管理员角色减去您定义的规则。 It's not supported in K8s as of this writing .在撰写本文时,K8s 不支持它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.