正如我们可以在角色和 ClusterRole 文档 https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole,权限(规则)纯粹是附加的 - 没有“拒绝”规则:
角色和集群角色
RBAC 角色或 ClusterRole 包含表示一组权限的规则。权限纯粹是附加的(没有“拒绝”规则)。
The list of possible verbs can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb:
您需要提供应用于规则中包含的资源的所有动词。
代替:
verbs = ["*"]
提供所需的动词,例如:
verbs = ["get", "list", "patch", "update", "watch"]
作为一个例子,我创建了一个example-role
Role
and an example_role_binding
RoleBinding
.
The example_role_binding
RoleBinding
授予中定义的权限example-role
Role
给用户john
.
NOTE:有关使用以下资源的详细信息,请参阅kubernetes_角色 https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role and kubernetes_角色_绑定 https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding资源文档。
resource "kubernetes_role" "example_role" {
metadata {
name = "example-role"
namespace = "default"
}
rule {
api_groups = ["*"]
resources = ["*"]
verbs = ["get", "list", "patch", "update", "watch"]
}
}
resource "kubernetes_role_binding" "example_role_binding" {
metadata {
name = "example_role_binding"
namespace = "default"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = "example-role"
}
subject {
kind = "User"
name = "john"
api_group = "rbac.authorization.k8s.io"
}
}
此外,我还创建了test_user.sh
用于快速检查其是否按预期工作的 Bash 脚本:
NOTE:您可能需要修改变量namespace
, resources
, and user
以满足您的需求。
$ cat test_user.sh
#!/bin/bash
namespace=default
resources="pods deployments"
user=john
echo "=== NAMESPACE: ${namespace} ==="
for verb in create delete get list patch update watch; do
echo "-- ${verb} --"
for resource in ${resources}; do
echo -n "${resource}: "
kubectl auth can-i ${verb} ${resource} -n ${namespace} --as=${user}
done
done
$ ./test_user.sh
=== NAMESPACE: default ===
-- create --
pods: no
deployments: no
-- delete --
pods: no
deployments: no
-- get --
pods: yes
deployments: yes
-- list --
pods: yes
deployments: yes
...