使用 NGINX Ingress 进行 Kubernetes 角色管理
[英]Kubernetes Role Managment with NGINX Ingress
问题描述
I have a Kubernetes Cluster running on Azure (AKS) with NGINX Ingress in front.
我有一个在 Azure (AKS) 上运行的 Kubernetes 集群,前面有 NGINX Ingress。
I'm a little bit confused how to seperate access on the diffrent ressources for multiple Users.我有点困惑如何为多个用户单独访问不同的资源。
The users should work on the apps.用户应该在应用程序上工作。 That's why it is fine if they can read logs, descriptions and exec some commands inside of the pods.这就是为什么如果他们可以读取日志、描述并在 pod 内执行一些命令就可以了。 But they should never adjust some Ingress ressources.但是他们永远不应该调整一些 Ingress 资源。
Microsoft provide a very good tutorial how to handle cases like that on AKS: https://docs.microsoft.com/en-us/azure/aks/azure-ad-rbac Microsoft 提供了一个非常好的教程,如何在 AKS 上处理此类案例: https : //docs.microsoft.com/en-us/azure/aks/azure-ad-rbac
There is an example how to add permissions to a group to the whole namespace.有一个示例如何将一个组的权限添加到整个命名空间。
My Question is now, how can I add permissions for a group to specific ressources inside of a namespace.我现在的问题是,如何将组的权限添加到命名空间内的特定资源。
For example I have following ressources:例如我有以下资源:
ressource type namespace
ingress-controller pod nginx-ingress
ingress-service service nginx-ingress
ingress-nginx ingress nginx-ingress
app1-service service nginx-ingress
app1 pod nginx-ingress
app2-service service nginx-ingress
app2 pod nginx-ingress
From my understanding I need to deploy all of them in the same namespace, otherwise the ingress can't forward the requests.根据我的理解,我需要将它们全部部署在同一个命名空间中,否则入口无法转发请求。 But how I can grant read, write, execute permissions to group1 for app1 and app1-service, and read to the rest?但是我如何为 app1 和 app1-service 授予 group1 的读取、写入、执行权限,并读取其余的权限?
2 个解决方案
解决方案1
1 已采纳 2020-03-20 18:22:57
You can specify specific resources by name in RBAC roles with the resourceNames field.您可以使用resourceNames字段在 RBAC 角色中按名称指定特定资源。
Create a Role that allows full access to app1 and app1-service :创建一个允许完全访问app1和app1-service的角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app1-admin
rules:
- apiGroups:
- ""
resourceNames:
- app1
- app1-service
resources:
- pods
- pods/exec
- service
verbs:
- get
- list
- watch
- create
Create Role that allows read access to all other Pods and Services:创建允许读取所有其他 Pod 和服务的角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: read-all
rules:
- apiGroups:
- ""
resources:
- pods
- service
verbs:
- get
- list
- watch
Create two RoleBindings that bind both of these Roles to the group1 group:创建两个 RoleBindings,将这两个角色绑定到group1组:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app1-admin-group1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: app1-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: group1
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-all-group1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: read-all
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: group1
Now, members of group1 should have full access to Pod app1 and Service app1-service , but only read access to all other resources.现在, group1成员应该拥有对 Pod app1和 Service app1-service完全访问权限,但只有对所有其他资源的读取访问权限。
解决方案2
0 2020-03-20 18:02:39
I dont think thats true at all, you can have ingress resources in different namespaces.我完全不认为那是真的,您可以在不同的命名空间中拥有入口资源。 also, you can actually refer to resource names in rbac.此外,您实际上可以在 rbac 中引用资源名称。
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.