kubernetes 用户角色管理
用户-角色
$ echo '
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
' | kubectl apply -f -
$ echo '
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: apiserver-authentication-reader
namespace: kube-system
rules:
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
- list
- watch
' | kubectl apply -f -
$ echo '
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: metrics-server
name: metrics-server-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
' | kubectl apply -f -
用户-集群角色
$ echo '
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
' | kubectl apply -f -
$ echo "
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
" | kubectl apply -f -
$ echo '
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
' | kubectl apply -f -
