如何為擴展特定部署指定 kubernetes RBAC 權限

Question

我正在嘗試授予一組用戶在 kubernetes 1.20 中擴展一組特定部署的權限

我在這里嘗試使用 API 參考文檔： https ://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#patch-scale-deployment-v1-apps 來設置資源名稱，如下所示：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
  resources:
    - /namespaces/my-namespace-name/deployments/my-deployment-name/scale
    - deployments/my-deployment-name/scale
  verbs:
    - update
    - patch

這不起作用：

$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
Error from server (Forbidden): deployments.apps "my-deployment-name" is forbidden: User "kubeoperatorrole" cannot patch resource "deployments/scale" in API group "apps" in the namespace "my-namespace-name"

我可以讓 scale 命令工作的唯一方法是授予所有部署的權限（這不是我想要的），如下所示：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
  resources:
    - deployments/scale
  verbs:
    - update
    - patch

$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
deployment.apps/my-deployment-name scaled

按名稱指定特定部署資源的正確語法是什么，或者這不可能？ 我的目標部署無法移動到隔離的命名空間。

Answer 1

resources不是您要查找的內容，它是resourceNames ，它必須是特定的對象名稱，例如resourceNames: [my-deployment-name] 。 一般來說，這不是一個很好的方法，期望是您將按名稱空間對事物進行分段，並僅在一個名稱空間（或兩個或三個或任何名稱）中授予它們權限。

Answer 2

嘗試：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
- apiGroups: ["apps"]
  resources:
  - deployments/scale
  resourceNames: ["my-deployment-name"]  # <-- name of your deployment here
  verbs:
  - update
  - patch