[英]Kubernetes RBAC roles with resourceName and listing objects
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: p-viewer-role
namespace: pepsi
rules:
- apiGroups:
- ""
resourceNames:
- p83
resources:
- pods
verbs:
- list
- get
- watch
When we use resourceNames in the Roles, the following command works当我们在角色中使用 resourceNames 时,以下命令有效
kubectl get pods -n pepsi p83
returns a proper value.返回一个合适的值。 However,
然而,
kubectl get pods -n pepsi
returns forbidden.禁止退货。 Why doesn't it list p83
为什么不列出 p83
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: p-viewer-rolebinding
namespace: pepsi
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: p-viewer-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pepsi-project-viewer
namespace: project
This is expected behavior.这是预期的行为。 You have defined a
role
which is scoped to the namespace
pepsi to pod
resources
with specific resourceName
p83
.您已经定义了一个
role
,该角色的范围为namespace
pepsi 到具有特定resourceName
p83
的pod
resources
。
For kubectl get pods -n peps
command to work you need to remove the resourceNames
p83
from the Role
要使
kubectl get pods -n peps
命令正常工作,您需要从Role
中删除resourceNames
p83
This kind of advanced validation is best handled by OPA where you can define fine grained policies.这种高级验证最好由OPA处理,您可以在其中定义细粒度的策略。
Short answer:简短的回答:
list
(and watch
)actually can be restricted by their resource name, and permits list(and watch
) requests using a fieldSelector of metadata.name=...
to match a single object (for example, /api/v1/namespaces/$ns/configmaps?fieldSelector=metadata.name=foo
) list
(和watch
)实际上可以通过它们的资源名称来限制,并允许 list ( /api/v1/namespaces/$ns/configmaps?fieldSelector=metadata.name=foo
watch
)使用metadata.name=...
/api/v1/namespaces/$ns/configmaps?fieldSelector=metadata.name=foo
)
For more details and some tests you can check this link: https://github.com/kubernetes/website/pull/29468有关更多详细信息和一些测试,您可以查看此链接: https://github.com/kubernetes/website/pull/29468
@sftim and @liggitt do offer a lot of help! @sftim 和 @liggitt 确实提供了很多帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.