有没有一种方法可以创建一个K8s集群角色,该角色具有完全访问权限(任何命名空间上的所有资源、谓词和顶点组(,但不在所有命名空间上执行命令,例如:kubectl delete pods --all-namespaces或kubectl delete pv --all-namespaces?
(应该允许在单个命名空间上运行相同的命令,只是不允许对所有命名空间批量运行(。
如果集群角色无法实现这一点,还有其他方法可以实现吗?
如果只将clusterrole绑定到所需的命名空间,而不向受限制的命名空间授予权限,该怎么办?这不是完整的解决方案,至少用户将无法删除不需要的。严格回答你的问题——不确定这是否可能。
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: testsa
namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: testclusterrole
rules:
- apiGroups: [""]
resources: ["pods","services","namespaces","deployments","jobs"]
verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job-master-1
namespace: namespace1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: testclusterrole
subjects:
- kind: ServiceAccount
name: testsa
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job-master-2
namespace: namespace2
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: job-master
subjects:
- kind: ServiceAccount
name: satestsa namespace: default