我创建了一个ClusterRole
:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: restricted-pods-role
rules:
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- restricted-psp
verbs:
- use
我已使用以下命令通过ClusterRoleBinding
alex.pitt@xcom.net
授予用户帐户cluster-admin
权限:
kubectl create clusterrolebinding cluster-admin-binding --clusterrole cluster-admin --user alex.pitt@xcom.net
现在我想将相同的群集管理员权限授予 dave.pot@xcom.net 而不是 alex.pitt@xcom.net。
如何从 Cloud Shell 执行此操作?
将相同的群集管理员特权授予 dave.pot@xcom.net 而不是 alex.pitt@xcom.net。 如何从 Cloud Shell 执行此操作?
- 您可以使用
kubectl patch
在云外壳的单个命令中执行此操作。复制命令并将newuser@domain.com
替换为所需的用户:
kubectl patch clusterrolebinding cluster-admin-binding -p '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"newuser@domain.com"}]}'
- 或者,您可以使用默认文本编辑器(通常为 vi(在飞行中使用以下命令编辑清单:
kubectl edit clusterrolebinding cluster-admin-binding
我想评论的一件事:
我注意到您创建了一个名为
restricted-pods-role
的集群角色,在第二部分中,您将角色cluster-admin
分配给用户,从而可以完全控制集群。您在问题中明确表示这是您的意图,但是如果您要实现的是将刚刚创建的角色分配给用户,则该命令将是:
kubectl create clusterrolebinding restricted-pods-binding --clusterrole restricted-pods-role --user someuser@domain.com
- 值得一提的是,群集角色绑定将群集角色中定义的权限授予一个用户或一组用户。它包含使用者(用户、组或服务帐户(的列表,因此你可以对多个用户使用相同的绑定。
繁殖:
- 我按照您的示例部署了
ClusterRoleBinding
:
$ k get clusterrolebinding cluster-admin-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2020-05-12T14:55:14Z"
name: cluster-admin-binding
resourceVersion: "48399"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin-binding
uid: 7a5055e3-e464-405c-9ed2-891eb671a948
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: alex.pitt@xcom.net
- 并按照上述说明应用了补丁:
$ kubectl patch clusterrolebinding cluster-admin-binding -p '{"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"newuser@domain.com"}]}'
clusterrolebinding.rbac.authorization.k8s.io/cluster-admin-binding patched
$ k get clusterrolebinding cluster-admin-binding -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2020-05-12T14:55:14Z"
name: cluster-admin-binding
resourceVersion: "49703"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin-binding
uid: 7a5055e3-e464-405c-9ed2-891eb671a948
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: newuser@domain.com
如您所见,用户已被替换。
如果您仍然对此程序有任何疑问,请在评论中告诉我。