堆栈内存溢出
  简体   繁体   English

如何限制用户在 kubernetes 中创建命名空间

[英]How to restrict user to create namespace in kubernetes

 原文  2021-02-22 03:29:27       kubernetes/ namespaces

问题描述

Say i have a k8s cluster.假设我有一个 k8s 集群。

I would like to restrict user to create their own namespace.我想限制用户创建自己的命名空间。 And only allow admin to create namespace.并且只允许管理员创建命名空间。

I am trying to use of cluster role rules:我正在尝试使用集群角色规则:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: my-role
rules:
- apiGroups: ["v1"]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]

But I found user still can create namespace.但我发现用户仍然可以创建命名空间。 Any solution to do so?有什么解决办法吗?

1 个解决方案

解决方案1
 2  2021-02-22 04:01:00

You need to create a ClusterRoleBinding to apply the ClusterRole my-role to the user.您需要创建一个 ClusterRoleBinding 以将 ClusterRole my-role应用于用户。 Assuming the user is jane below is an example.假设用户是jane下面是一个例子。 The problem in this approach is you need to keep updating it as and when new users gets onboarded.这种方法的问题是您需要在新用户加入时不断更新它。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: namespace-reader
subjects:
# You can specify more than one "subject"
- kind: User
  name: jane # "name" is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: ClusterRole #this must be Role or ClusterRole
  name: my-role # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

An alternative and better approach would be to restrict all authenticated users from creating namespace using below ClusterRoleBinding.另一种更好的方法是限制所有经过身份验证的用户使用下面的 ClusterRoleBinding 创建命名空间。 Since we are applying the ClusterRole to the group system:authenticated and every user who is successfully authenticated is placed into this group automatically by kubernetes, no user except admin user will be able to create namespace.由于我们将 ClusterRole 应用于组system:authenticated并且每个成功通过身份验证的用户都被 kubernetes 自动放入该组,因此除了 admin 用户之外的任何用户都无法创建命名空间。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: namespace-reader
subjects:
# You can specify more than one "subject"
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: ClusterRole #this must be Role or ClusterRole
  name: my-role # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

Since admin user is part of a set of admin groups it will be possible to create namespace as admin user.由于管理员用户是一组管理员组的一部分,因此可以将命名空间创建为管理员用户。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 kubernetes 仪表板上将用户限制为一个命名空间? - How to restrict a user to one namespace on kubernetes Dashboard? 如何在 kubernetes 仪表板中限制命名空间 - How to restrict namespace in kubernetes dashboard Kubernetes 入口:如何限制虚拟主机名包含用户自己的命名空间? - Kubernetes ingress: how to restrict virtual host name to include user's own namespace? 如何在 kubernetes 上隐藏特定用户的命名空间 - How to hide a namespace for specific user on kubernetes 如果不存在,如何创建 Kube.netes 命名空间? - How to create Kubernetes Namespace if it does not Exist? 如何在 Kubernetes 创建部署命令中传递命名空间 - How to pass namespace in Kubernetes create deployment command 我如何在 Kubernetes 中创建新的命名空间 - How I create new namespace in Kubernetes 如何在现有的 Azure Kubernetes 集群中创建命名空间 - How to create namespace in existing azure Kubernetes cluster 如何应用 kubernetes 网络策略来限制其他命名空间对命名空间的访问? - How to apply kubernetes network policies to restrict access of namespace from other namespace? Kubernetes 中用户或角色的命名空间 - Namespace for User or Role in Kubernetes
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM