我想将特定用户添加到命名空间中。在那里,他们只能对这些名称空间进行完全的管理访问。样品样品:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: ns1-full-access
namespace: ns1
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ns1-full-access-rolebinding
namespace: ns1
subjects:
- kind: Group
name: ns1-full-access-admins
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: ns1-full-access
apiGroup: rbac.authorization.k8s.io
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: XYZ@test.com
- apiGroup: rbac.authorization.k8s.io
kind: User
name: XYZ1@test.com
这就足够了吗。
是的,它将在中工作
基本示例根据需要更改apiGroups,否则使用*****
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mynamespace-user
namespace: mynamespace
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: mynamespace-user-full-access
namespace: mynamespace
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: mynamespace-user-view
namespace: mynamespace
subjects:
- kind: ServiceAccount
name: mynamespace-user
namespace: mynamespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: mynamespace-user-full-access