kubernetes - 如何为命名空间中的 pod 提供管理员访问权限？

Question

我是k8s的新手。

我在 k8test 内有一个带有单个 pod 的部署(自定义)命名空间。 学习用 ，我想为该 pod 授予管理员访问权限。

我未能通过创建命名空间角色来实现这一点:

    kind: 'Role',
    apiVersion: 'rbac.authorization.k8s.io/v1',
    metadata: {
      name: 'super-duper-admin',
      namespace: 'k8test',
    },
    rules: [
      {
        apiGroups: [''],
        resources: ['ResourceAll'],
        verbs: ['VerbAll'],
      },
    ],

来自 pod 的日志:

services is forbidden: User "system:serviceaccount:k8test:default" cannot list resource "services" in API group "" in the namespace "k8test"

我找不到对 apiGroups 的简单解释。 .它是什么？

Answer 1

您可以找到所有 api 组 here .

如记录 here

API groups make it easier to extend the Kubernetes API. The API group is specified in a REST path and in the apiVersion field of a serialized object

Pod 属于 core API 组和版本 v1 .

在您的 RBAC ''表示 core API 组。

创建如下角色，授予所有 apigroups 权限, 所有 resources和所有 verbs .

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: k8test
  name: super-duper-admin
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'

将角色绑定(bind)到服务帐户，如下所示

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
  name: admin-rolebinding
  namespace: k8test
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
  name: default # "name" is case sensitive
  namespace: k8test
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: super-duper-admin # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

执行以下命令以验证 RABC 是否正确应用

kubectl auth can-i list services --as=system:serviceaccount:k8test:default -n k8test 

有关 RBAC 的更多信息和示例 here