我正在学习 rbac 来做访问控制,这是我的角色定义:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: foobar-role
labels:
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "patch"]
该角色允许主题访问机密,但我想知道是否可以限制对特定路径的访问:
apiVersion: v1
data:
keycloak.clientSecret: ...
keycloak.url: ...
user.password: ...
kind: Secret
metadata:
creationTimestamp: "2019-04-21T08:07:21Z"
labels:
app: foobar-ce
heritage: Tiller
release: foobar
name: foobar-secret
namespace: default
resourceVersion: "12348"
selfLink: /api/v1/namespaces/default/secrets/foobar-secret
uid: 7d8775d9-640c-11e9-8327-0242b821d21a
type: Opaque
例如,是否可以更改角色,只能
- 查看
{.data.keycloak.url}(只读( - 更新
{.data.keycloak.clientSecret}(只写(
您可以限制为单个资源(resourceNames策略中(,但不能超过此范围。我认为 API 甚至不支持部分访问。