[英]How to create a service account with no permissions in Kubernetes?
I want to create a serviceaccount
in Kubernetes with no permissions.我想在 Kubernetes 中创建一个没有权限的
serviceaccount
。
However, creating a new serviceaccount
as follows results in a privileged serviceaccount
, sa
, that is able to eg retrieve pod information:但是,如下创建一个新的
serviceaccount
产生一个特权serviceaccount
, sa
,它能够例如检索 pod 信息:
kubectl create serviceaccount sa -n devns
nlykkei:~/projects/k8s-examples$ kubectl get pods --as=system:serviceaccount:devns:sa -v6
I0318 16:12:34.161300 3466 loader.go:359] Config loaded from file: /Users/nlykkei/.kube/config
I0318 16:12:34.179023 3466 round_trippers.go:438] GET https://kubernetes.docker.internal:6443/api/v1/namespaces/default/pods?limit=500 200 OK in 11 milliseconds
I0318 16:12:34.179299 3466 get.go:564] no kind "Table" is registered for version "meta.k8s.io/v1beta1" in scheme "k8s.io/kubernetes/pkg/api/legacyscheme/scheme.go:30"
No resources found.
nlykkei:~/projects/k8s-examples$ kubectl auth can-i --list --as=system:serviceaccount:devns:sa
Resources Non-Resource URLs Resource Names Verbs
*.* [] [] [*]
[*] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
How can I create a serviceaccount
with no permissions initially?如何创建一个
serviceaccount
没有权限最初?
DfM Kubernetes 注入了一个名为 docker-for-desktop-binding 的 ClusterRoleBinding,它确实为所有东西提供了所有权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.