小贝子编程

如何使用云外壳从 GKE 中的集群角色绑定中删除主题



我创建了一个ClusterRole

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restricted-pods-role
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- restricted-psp
verbs:
- use

我已使用以下命令通过ClusterRoleBindingalex.pitt@xcom.net授予用户帐户cluster-admin权限:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user alex.pitt@xcom.net

现在我想将相同的群集管理员权限授予 dave.pot@xcom.net 而不是 alex.pitt@xcom.net。

如何从 Cloud Shell 执行此操作?

我想

将相同的群集管理员特权授予 dave.pot@xcom.net 而不是 alex.pitt@xcom.net。 如何从 Cloud Shell 执行此操作?

  • 您可以使用kubectl patch在云外壳的单个命令中执行此操作。复制命令并将newuser@domain.com替换为所需的用户:
kubectl patch clusterrolebinding cluster-admin-binding -p '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"newuser@domain.com"}]}'
  • 或者,您可以使用默认文本编辑器(通常为 vi(在飞行中使用以下命令编辑清单:

kubectl edit clusterrolebinding cluster-admin-binding

我想评论的一件事:

  • 我注意到您创建了一个名为restricted-pods-role的集群角色,在第二部分中,您将角色cluster-admin分配给用户,从而可以完全控制集群。

  • 您在问题中明确表示这是您的意图,但是如果您要实现的是将刚刚创建的角色分配给用户,则该命令将是:

kubectl create clusterrolebinding restricted-pods-binding --clusterrole restricted-pods-role --user someuser@domain.com
  • 值得一提的是,群集角色绑定将群集角色中定义的权限授予一个用户或一组用户。它包含使用者(用户、组或服务帐户(的列表,因此你可以对多个用户使用相同的绑定。

繁殖:

  • 我按照您的示例部署了ClusterRoleBinding
$ k get clusterrolebinding cluster-admin-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2020-05-12T14:55:14Z"
name: cluster-admin-binding
resourceVersion: "48399"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin-binding
uid: 7a5055e3-e464-405c-9ed2-891eb671a948
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: alex.pitt@xcom.net
  • 并按照上述说明应用了补丁:
$ kubectl patch clusterrolebinding cluster-admin-binding -p '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"newuser@domain.com"}]}'
clusterrolebinding.rbac.authorization.k8s.io/cluster-admin-binding patched
$ k get clusterrolebinding cluster-admin-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2020-05-12T14:55:14Z"
name: cluster-admin-binding
resourceVersion: "49703"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin-binding
uid: 7a5055e3-e464-405c-9ed2-891eb671a948
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: newuser@domain.com

如您所见,用户已被替换。

如果您仍然对此程序有任何疑问,请在评论中告诉我。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium