授予Kubernetes服务帐户权限的秘密? [英] Granting a Kubernetes Service Account permissions for Secrets?
本文介绍了授予Kubernetes服务帐户权限的秘密?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个服务帐户,我想授予其在特定名称空间中读取/写入/更新/删除机密的权限.我尚不清楚服务帐户,角色,绑定等如何完全配合以授予正确的权限.
I have a Service Account which I'd like to grant permissions to read/write/update/delete Secrets within a specific namespace. I'm not clear about how exactly Service Accounts, Roles, Bindings, etc. work together to grant the right permissions.
我需要做什么kubectl调用或YAML才能将这些权限授予服务帐户?
What kubectl invocations or YAML do I need to do to grant these permissions to the service account?
这是我到目前为止拥有的服务帐户的YAML:
Here's the YAML for the Service Account I have so far:
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2018-10-09T17:45:20Z
name: testaccount
namespace: test
resourceVersion: "369702913"
selfLink: /api/v1/namespaces/test/serviceaccounts/testaccount
uid: f742ed5c-c1b3-11e8-8a69-0ade4132ab56
secrets:
- name: testaccount-token-brjxq
推荐答案
您需要创建角色和角色绑定.
You need to create Role and Role binding.
创建角色:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: test
name: role-test-account
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
创建角色绑定:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-test-account-binding
namespace: test
subjects:
- kind: ServiceAccount
name: test-account
namespace: test
roleRef:
kind: Role
name: role-test-account
apiGroup: rbac.authorization.k8s.io
您可以阅读更多有关使用RBAC授权的信息
这篇关于授予Kubernetes服务帐户权限的秘密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
