[英]How to restrict user to create namespace in kubernetes
Say i have a k8s cluster.假设我有一个 k8s 集群。
I would like to restrict user to create their own namespace.我想限制用户创建自己的命名空间。 And only allow admin to create namespace.
并且只允许管理员创建命名空间。
I am trying to use of cluster role rules:我正在尝试使用集群角色规则:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: my-role
rules:
- apiGroups: ["v1"]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
But I found user still can create namespace.但我发现用户仍然可以创建命名空间。 Any solution to do so?
有什么解决办法吗?
You need to create a ClusterRoleBinding to apply the ClusterRole my-role
to the user.您需要创建一个 ClusterRoleBinding 以将 ClusterRole
my-role
应用于用户。 Assuming the user is jane
below is an example.假设用户是
jane
下面是一个例子。 The problem in this approach is you need to keep updating it as and when new users gets onboarded.这种方法的问题是您需要在新用户加入时不断更新它。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: namespace-reader
subjects:
# You can specify more than one "subject"
- kind: User
name: jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: ClusterRole #this must be Role or ClusterRole
name: my-role # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
An alternative and better approach would be to restrict all authenticated users from creating namespace using below ClusterRoleBinding.另一种更好的方法是限制所有经过身份验证的用户使用下面的 ClusterRoleBinding 创建命名空间。 Since we are applying the ClusterRole to the group
system:authenticated
and every user who is successfully authenticated is placed into this group automatically by kubernetes, no user except admin user will be able to create namespace.由于我们将 ClusterRole 应用于组
system:authenticated
并且每个成功通过身份验证的用户都被 kubernetes 自动放入该组,因此除了 admin 用户之外的任何用户都无法创建命名空间。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: namespace-reader
subjects:
# You can specify more than one "subject"
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: ClusterRole #this must be Role or ClusterRole
name: my-role # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
Since admin user is part of a set of admin groups it will be possible to create namespace as admin user.由于管理员用户是一组管理员组的一部分,因此可以将命名空间创建为管理员用户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.