我正在使用G.我想创建一个只能访问特定命名空间的自定义用户,我使用了这个yaml:
—apiVersion:v1kind:ServiceAccount元数据: 名称:开发用户 命名空间:开发
-…
这是一篇关于如何设置它的好文章: https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html 。
一般来说,你的配置很好,我改变的是线 - apiGroups: rbac.authorization.k8s.io 变成:
- apiGroups: rbac.authorization.k8s.io
- apiGroups: ["", "extensions", "apps"]
然后,应用以下步骤:
develop
$ kubectl create namespace develop
$ kubectl apply -f rbac.yaml
$ kubectl cluster-info $ kubectl get secret develop-user-token-2wsnb -o jsonpath={.data.token} -n develop | base64 --decode $ kubectl get secret develop-user-token-2wsnb -o "jsonpath={.data['ca\.crt']}" -n develop
~/.kube/config
$ kubectl get service my-service -n mynamespace Error from server (Forbidden): services "my-service" is forbidden: User "system:serviceaccount:develop:develop-user" cannot get services in the namespace "mynamespace" $ kubectl get service my-service -n develop hError from server (NotFound): services "my-service" not found
https://medium.com/uptime-99/making-sense-of-kubernetes-rbac-and-iam-roles-on-gke-914131b01922 https://medium.com/@ManagedKube/kubernetes-rbac-port-forward-4c7eb3951e28
这两篇文章终于帮助了我!由于这个愚蠢的东西,我几乎感到沮丧,多亏了正常时间-99和ManagedKube我做到了!好极了!
关键是在gcloud中创建kubernetes-viewer用户,然后为他创建一个角色 这是一个暗示!
--- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: develop name: allow-developer-port-forward rules: - apiGroups: [""] resources: ["pods", "pods/portforward"] verbs: ["get", "list", "create"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: anime-developer-port-access namespace: develop subjects: - kind: User name: ANIMEDEVERLOP@gmail.com apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: allow-developer-port-forward apiGroup: ""
然后
kubectly apply -f accessconfig.yaml
而已! 祝你今天愉快!