1

在我的场景中,用户只能访问四个命名空间,他将使用下面的上下文在命名空间之间切换。我怎样才能让他访问 CRD 以及他对四个命名空间的现有访问权限。

CURRENT   NAME                      CLUSTER     AUTHINFO                       NAMESPACE
*         dev-crd-ns-user           dev         dev-crd-ns-user                dev-crd-ns
          dev-mon-fe-ns-user        dev         dev-mon-fe-ns-user             dev-mon-fe-ns
          dev-strimzi-operator-ns   dev         dev-strimzi-operator-ns-user   dev-strimzi-operator-ns
          dev-titan-ns-1            dev         dev-titan-ns-1-user            dev-titan-ns-1


hifi@101common:/root$ kubectl get secret
NAME                                     TYPE                                  DATA   AGE
default-token-mh7xq                      kubernetes.io/service-account-token   3      8d
dev-crd-ns-user-token-zd6xt   kubernetes.io/service-account-token   3      8d
exfo@cmme101common:/root$ kubectl get crd
Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:dev-crd-ns:dev-crd-ns-user" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

尝试了以下两个选项。选项 2 是建议,但不适用于任何一个。

Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:dev-crd-ns:dev-crd-ns-user" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the **cluster scope**

选项 1:将 CRD 添加到现有角色

角色

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
  name: dev-ns-user-full-access
  namespace: dev-crd-ns
rules:
- apiGroups:
  - ""
  - extensions
  - apps
  - networking.k8s.io
  - apiextensions.k8s.io
  resources:
  - '*'
  - customresourcedefinitions
  verbs:
  - '*'
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - '*'

角色绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
  name: dev-crd-ns-user-view
  namespace: dev-crd-ns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-crd-ns-user-full-access
subjects:
- kind: ServiceAccount
  name: dev-crd-ns-user
  namespace: dev-crd-ns

选项 2:将 CRD 作为新角色添加到“dev-crd-ns”命名空间

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev-crd-ns
  name: crd-admin
rules:
- apiGroups: ["apiextensions.k8s.io"] 
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: crd-admin
  namespace: dev-crd-ns
subjects:
- kind: ServiceAccount
  name: dev-crd-ns-user
  namespace: dev-crd-ns
roleRef:
  kind: Role 
  name: crd-admin
  apiGroup: rbac.authorization.k8s.io
4

1 回答 1

1

您需要为每个服务帐户创建RoleRoleBindingdev-crd-ns-user ,例如.

对于dev-crd-ns-user

  • 更新现有角色或创建一个新角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev-crd-ns
  name: crd-admin
rules:
- apiGroups: ["apiextensions.k8s.io"] 
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

$ kubectl apply -f crd-admin-role.yaml
  • 用这个新角色更新现有的 RoleBinding 或创建一个新角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: crd-admin
  namespace: dev-crd-ns
subjects:
- kind: ServiceAccount
  name: dev-crd-ns-user
  namespace: dev-crd-ns
roleRef:
  kind: Role 
  name: crd-admin
  apiGroup: rbac.authorization.k8s.io

$ kubectl apply -f crd-admin-role-binding.yaml

现在,SAdev-crd-ns-user将拥有对customresourcedefinitions.

对其余服务帐户执行类似步骤。

于 2021-10-08T05:54:29.723 回答