我想创建kubernetes服务帐户和角色/rbc,它将授予修补/更新部署注释的权限。服务帐户应该无法对kubernetes部署执行任何其他更新。它应该只对元数据部分具有升级和修补权限。
我会给你一个例子,告诉你如何根据你的需求创建你的服务帐户,你可以以我的例子为例,轻松修改,它看起来像这样:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role # it can be ClusterRole if you want your service account for all nodes and across all namespaces
metadata:
namespace: default # if can specify any your working namespace
name: depl-patch-role
rules:
- apiGroups: [""] # "" indicates the core API group, you can set any specific group
resources: ["deployments"]
verbs: ["update", "patch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: depl-patch-sa
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: depl-patch-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: depl-patch-sa
apiGroup: "" # same as above
roleRef:
kind: Role
name: depl-patch-role
apiGroup: ""
希望这能有所帮助。你可以在官方文档中找到更多关于角色/rbc的信息