gpt4 book ai didi

kubernetes - 如何为 Kubernetes 中的特定部署允许端口转发?

转载 作者:行者123 更新时间:2023-12-05 00:58:40 25 4
gpt4 key购买 nike

我正在尝试允许我组织中的一些用户将端口转发到我们在 Kubernetes 中的生产命名空间。但是,我不希望他们能够将端口转发到所有服务。我想限制对某些服务的访问。这可能吗?

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: allow-port-forward-for-deployment-a
rules:
- apiGroups: [""]
resources: ["pods/portforward"]
verbs: ["get", "list", "create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: allow-port-forward-for-deployment-a
namespace: production
subjects:
- kind: User
name: "xyz@org.com"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: allow-port-forward-for-deployment-a
apiGroup: rbac.authorization.k8s.io

上述设置允许所有服务,但我不希望这样。

最佳答案

我相信你做不到。 According to the docs

Resources can also be referred to by name for certain requests through the resourceNames list. When specified, requests can be restricted to individual instances of a resource. To restrict a subject to only “get” and “update” a single configmap, you would write:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: configmap-updater
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["my-configmap"]
verbs: ["update", "get"]

Note that create requests cannot be restricted by resourceName, as the object name is not known at authorization time. The other exception is deletecollection.

由于您想授予用户创建转发端口的权限,我认为您不能。

关于kubernetes - 如何为 Kubernetes 中的特定部署允许端口转发?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56670876/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com