[英]Creating new CRD resource with cluster-admin role
I created a new service account and a rolebining giving him the role of cluster-admin as follows.我创建了一个新的服务帐户和一个角色绑定,为他提供了集群管理员的角色,如下所示。 I applied a new CRD resource with it and I expected it to fail as the default cluster-admin role can not manage CRD unless a new ClusterRole is created with aggregate-to-admin label, but the CRD was created and I do not understand why.
我用它应用了一个新的 CRD 资源,我预计它会失败,因为默认集群管理员角色无法管理 CRD,除非使用聚合到管理员 label 创建新的 ClusterRole,但是创建了 CRD,我不明白为什么.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
kubectl create -f new_crd.yaml --as=system:serviceaccount:test-ns:test kubectl create -f new_crd.yaml --as=system:serviceaccount:test-ns:test
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-rolebinding
subjects:
- kind: ServiceAccount
name: test
namespace: test-ns
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Addressing the part of the last comment:解决最后评论的部分:
I do not understand the purpose of using aggregate-to-admin label -- I thought its purpose is to add rules to cluster-admin but if cluster-admin can do anything in the first place then why it is used?
我不明白使用聚合到管理员 label 的目的——我认为它的目的是向集群管理员添加规则,但是如果集群管理员首先可以做任何事情,那么为什么要使用它?
aggregate-to-admin
is a label
used to aggregate ClusterRoles
. aggregate-to-admin
是一个label
用于聚合ClusterRoles
。 This exact is used to aggregate ClusterRoles
to an admin
ClusterRole
.这确切用于将
ClusterRoles
聚合到admin
ClusterRole
。
A side note!
旁注!
cluster-admin
andadmin
are two separateClusterRoles
.cluster-admin
和admin
是两个独立的ClusterRoles
。
I will include the example of aggregating ClusterRoles
with an explanation below.我将包含聚合
ClusterRoles
的示例,并在下面进行解释。
You can read in the official Kubernetes documentation:您可以阅读官方 Kubernetes 文档:
Default ClusterRole![]() |
Default ClusterRoleBinding![]() |
Description![]() |
---|---|---|
cluster-admin![]() |
system:masters group![]() |
Allows super-user access to perform any action on any resource.![]() ![]() ![]() |
admin![]() |
None![]() |
Allows admin access, intended to be granted within a namespace using a RoleBinding.![]() ![]() ![]() |
ClusterRoles
ClusterRoles
The principle behind aggregated Clusterroles
is to have one ClusterRole
that have multiple other ClusterRoles
aggregated to it.聚合
Clusterroles
背后的原理是让一个ClusterRole
聚合多个其他ClusterRoles
。
Let's assume that:让我们假设:
ClusterRole
: aggregated-clusterrole
will be aggregating two other ClusterRoles
that will have needed permissions on some actions. ClusterRole
: aggregated-clusterrole
ClusterRoles
聚合另外两个对某些操作具有所需权限的 ClusterRole。ClusterRole
: clusterrole-one
will be used to add some permissions to aggregated-clusterrole
ClusterRole
: clusterrole-one
将用于向aggregated-clusterrole
添加一些权限ClusterRole
: clusterrole-two
will be used to add some permissions to aggregated-clusterrole
ClusterRole
: clusterrole-two
将用于向aggregated-clusterrole
添加一些权限An example of such setup could be implemented by YAML
definitions like below:此类设置的示例可以通过
YAML
定义实现,如下所示:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aggregated-clusterrole
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.example.com/put-here-any-label-name: "true" # <-- IMPORTANT
rules: []
Above definition will be aggregating ClusterRoles
created with a label
:上面的定义将聚合
ClusterRoles
创建的label
:
rbac.example.com/put-here-any-label-name: "true"
Describing this ClusterRole
without aggregating any ClusterRoles
with previously mentioned label
:描述此
ClusterRole
而不将任何ClusterRoles
与前面提到label
:
$ kubectl describe clusterrole aggregated-clusterrole
Name: aggregated-clusterrole
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
Two ClusterRoles
that will be used are the following:将使用的两个
ClusterRoles
如下:
clusterrole-one.yaml
: clusterrole-one.yaml
:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: clusterrole-one
labels:
rbac.example.com/put-here-any-label-name: "true" # <-- IMPORTANT
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
clusterrole-two.yaml
: clusterrole-two.yaml
:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: clusterrole-two
labels:
rbac.example.com/put-here-any-label-name: "true" # <-- IMPORTANT
rules:
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "delete"]
After applying above definitions, you can check if aggregated-clusterrole
have permissions used in clusterrole-one
and clusterrole-two
:应用上述定义后,您可以检查
aggregated-clusterrole
是否具有在clusterrole-one
和clusterrole-two
中使用的权限:
$ kubectl describe clusterrole aggregated-clusterrole
Name: aggregated-clusterrole
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
services [] [] [create delete]
pods [] [] [get list watch]
Additional resources:其他资源:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.