更新:修补它以向角色绑定添加角色的原因
是否可以向现有集群/角色绑定添加/修补。
为了节省混淆,我认为能够添加到现有角色绑定中会很好。
向角色添加/修补 - 我认为这是不行的,但对于角色绑定 - 是的,请:-(
试过这个但没有成功 - 所以如果可能的话,如何?
subjects:
- kind: ServiceAccount
name: test-service-account # Name is case sensitive
apiGroup: ""
namespace: default
# core/v1 .. rbac.authorization.k8s.io
roleRef:
kind: Role #this must be Role or ClusterRole
name: pod-reader-2add # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
并修补:
kubectl patch rolebinding read-pods --patch "$(cat rolebinding2patch.yaml)"
The RoleBinding "read-pods" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"Role", Name:"pod-reader-2add"}: cannot change roleRef
角色绑定中的 roleRef 在设计上是不可变的。因此,您无法更改它。
下面是验证码:
func ValidateRoleBindingUpdate(roleBinding *rbac.RoleBinding, oldRoleBinding *rbac.RoleBinding) field.ErrorList {
allErrs := ValidateRoleBinding(roleBinding)
allErrs = append(allErrs, validation.ValidateObjectMetaUpdate(&roleBinding.ObjectMeta, &oldRoleBinding.ObjectMeta, field.NewPath("metadata"))...)
if oldRoleBinding.RoleRef != roleBinding.RoleRef {
allErrs = append(allErrs, field.Invalid(field.NewPath("roleRef"), roleBinding.RoleRef, "cannot change roleRef"))
}
return allErrs
}
在此处检查问题。
您可以修补角色绑定。
$ cat patch.yaml
subjects:
- kind: ServiceAccount
name: my-new-service-account
namespace: default
$ kubectl patch rolebinding my-rolebinding --patch "$(cat patch.yaml)"
rolebinding.rbac.authorization.k8s.io/my-rolebinding patched