堆栈内存溢出
  简体   繁体   English

如何在Azure Kubernetes集群中启用服务帐户权限(已启用RBAC)?

[英]how can i assign permission to service account in azure kubernetes cluster( RBAC is enabled )?

 原文  2019-02-10 14:57:24       azure/ kubernetes/ rbac/ service-accounts

问题描述

I have created one Azure Kubernetes cluster with RBAC enabled. 我已经创建了一个启用了RBAC的Azure Kubernetes群集。

So my thinking is if any pod want to access any resource in cluster, it should be associated with service account and service account should have a specific role assigned to access resource. 因此,我的想法是,如果任何Pod想要访问群集中的任何资源,则应将其与服务帐户关联,并且服务帐户应具有分配给访问资源的特定角色。

But in my case I am able to access resource like list pod , list namespace from pod which is associated with a service account that does not have any role assigned. 但是在我的情况下,我可以访问与pod关联的资源,例如pod,list名称空间(与未分配任何角色的服务帐户相关联的pod)。

Please help me know if my understanding is wrong about RBAC or I am doing something wrong here !! 如果我对RBAC的理解有误,或者我在这里做错了,请帮助我!

1 个解决方案

解决方案1
 1  2019-02-10 15:03:15

Your understanding is right, i'm not exactly sure about permissions granted to default service account, but if you create your own role and assign it to the service account you can control permissions. 您的理解是正确的,我不确定授予默认服务帐户的权限,但是如果您创建自己的角色并将其分配给服务帐户,则可以控制权限。 sample: 样品: 

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: myserviceaccount
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: orleans-cluster
  namespace: mynamespace
subjects:
- kind: ServiceAccount
  name: myserviceaccount
  namespace: mynamespace

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: orleans-cluster
rules:
- apiGroups:
  - orleans.dot.net
  resources:
  - clusterversions
  - silos
  verbs:
  - '*'

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: myserviceccount
  namespace: mynamespace

if you assign myserviceaccount to the pod it will only allow the pod to do whatever is defined in the role. 如果将myserviceaccount分配给Pod,它将仅允许Pod执行角色中定义的任何操作。 so you need to create a role and a service account and use rolebinding (or clusterrolebinding for cluster wide permissions) to the service account. 因此,您需要创建一个角色和一个服务帐户,并对服务帐户使用角色绑定(或群集范围内的群集绑定)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在Azure kubernetes服务中实现RBAC功能? - How to achieve the RBAC functionality in Azure kubernetes service? 如何在Azure Kubernetes服务上为Rabbitmq群集分配主机名 - how to assign hostname for rabbitmq cluster on Azure Kubernetes Service 如何从 azure kubernetes 集群中获取审计日志? 后来我想用它来定义使用audit2rbac工具 - how to fetch audit log from a azure kubernetes cluster? later i want to use it to define using audit2rbac tool 我可以使用 RBAC 访问 Azure 服务总线继电器吗? - Can I Access Azure Service Bus Relay Using RBAC? Azure AD - 服务主体能否在 Azure 订阅中为自己分配 RBAC 角色? - Azure AD - Can a Service Principal assign itself RBAC role in an Azure Subscription? 在Azure Kubernetes服务中禁用Azure Active Directory RBAC - Disabling Azure Active Directory RBAC in Azure Kubernetes Service 在Azure上的Kubernetes上启用RBAC - Enabling RBAC on Kubernetes on Azure Azure RBAC 权限 - Azure RBAC Permission 如何使用Azure RBAC限制虚拟机大小? - How can I restrict virtual machine sizes with Azure RBAC? 如何在Azure的SQL管理门户中更改服务帐户的权限 - how to change permission for the service account in azure's sql management portal
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM