在多租户Kubernetes集群中设置卷权限 [英] Set Volume Permissions in Multi-Tenant Kubernetes Cluster

问题描述

情况:
-用户A，B，C，D
-小组1:用户A，用户B
-小组2:用户C，用户D

Situation:
- users A, B, C, D
- team 1: user A, user B
- team 2: user C, user D

所需:
-每个用户都有私人卷
-每个团队都有一个共享卷->团队中的用户可以看到共享卷
-根据权限，一些用户可以同时看到两个共享卷

Desired:
- each user has private volume
- each team has a shared volume --> users in team can see shared volume
- some users, based on permission, can see both shared volumes

搜索了很长时间，在文档中看不到解决方案.

Searched for quite some time now, do not see a solution in the Docs.

想法:
-使用命名空间！问题->无法再看到其他命名空间的共享卷

Ideas:
- Use Namespaces! problem --> can no longer see shared volume of other Namespace

推荐答案

这是您如何执行此操作的示例.您可以为不同的团队使用名称空间.

This is an example of how you would do it. You can use namespaces for the different teams.

然后，您可以使用 Role (每个卷)，并相应地分配给用户. (角色已命名).角色示例为:

Then you can use a Role for each volume and assign to users accordingly. (Roles are namespaced). A sample Role would be:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: team1
  name: volume-access
rules:
- apiGroups: [""]
  resources: ["persistentvolume", "persistentvolumeclaims"]
  resourceNames: ["my-volume"]
  verbs: ["update", "get", "list", "patch", "watch"]

然后您的绑定将类似于:

Then your binding would be something like:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pv-binding
  namespace: team1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: volume-access
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: usera
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: userb

以上内容将由用户A和用户B共享.您可以为私有卷创建单独的角色.

The above would be shared by user A and user B. You can create separate roles for the volume that is private.

这篇关于在多租户Kubernetes集群中设置卷权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！