AWS EKS添加仅限于名称空间的用户 [英] AWS EKS add user restricted to namespace
问题描述
我已经创建了AWS EKS集群,因为使用我的AWS userID创建的我已被添加到system:masters组.但是,当检查ConfigMap
I have created AWS EKS cluster since I have created using my AWS userID has been added to system:masters group. But when checked ConfigMap aws-auth I don't see my user ID. Why ?
我必须授予其他用户访问权限,所以我必须为IAM用户分配适当的AWS策略,然后使用以下映射编辑ConfigMap aws-auth
I had to give access to another user, so I have to assign appropriate AWS policies to the IAM user, then I edited the ConfigMap aws-auth with the following mapping
mapUsers:
----
- userarn: arn:aws:iam::573504862059:user/abc-user
username: abc-user
groups:
- system:masters
到目前为止,我了解到某个用户属于system:masters组的一部分时,该用户在群集上具有管理权限.
So far I have understood when a user is part of system:masters group, this user has admin privileges on the cluster.
如何将具有受限特权的新用户添加到特定名称空间?我是否需要为上述用户做同样的事情?如果是这样,那么我应该将新用户添加到哪个组?
How can I add a new user who will have restricted privileges to a specific namespace? Do I have to do the same thing what I have done for the above user? If so then what group I should add the new user to?
推荐答案
我会熟悉因此您可以创建Role,因为它们仅限于特定的名称空间.
So you can create a Role since these are limited to a specific namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: my-namespace
name: full-namespace
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
然后创建一个RoleBinding:
$ kubectl create rolebinding my-namespace-binding --role=full-namespace --group=namespacegroup --namespace=my-namespace
或kubectl create -f此:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-namespace-binding
namespace: mynamespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: full-namespace
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
namespace: mynamespace
然后在您的ConfigMap上:
Then on your ConfigMap:
mapUsers:
----
- userarn: arn:aws:iam::573504862059:user/abc-user
username: abc-user
groups:
- namespacegroup
这篇关于AWS EKS添加仅限于名称空间的用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
