授予 pod 访问权限以创建新的命名空间
Grant a pod access to create new Namespaces
我正在尝试通过利用 Kubernetes 名称空间的自动化来配置临时环境。我部署在 Kubernetes 中的自动化工作者必须能够创建命名空间。到目前为止,我对此的实验使我无处可去。我需要将哪个绑定附加到服务帐户以允许它控制命名空间?还是我的做法不对?
到目前为止我的代码:
deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: k8s-deployer
namespace: tooling
labels:
app: k8s-deployer
spec:
replicas: 1
selector:
matchLabels:
app: k8s-deployer
template:
metadata:
name: k8s-deployer
labels:
app: k8s-deployer
spec:
serviceAccountName: k8s-deployer
containers: ...
rbac.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-deployer
namespace: tooling
---
# this lets me view namespaces, but not write
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: administer-cluster
subjects:
- kind: ServiceAccount
name: k8s-deployer
namespace: tooling
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
要让 pod 控制 Kubernetes 中的某些东西,您至少需要四件事:
- 创建或 select 现有
Role/ClusterRole(您选择了 administer-cluster,我不知道哪些规则)。
- 创建或 select 现有
ServiceAccount(您在命名空间 tooling 中创建了 k8s-deployer)。
- 将两者放在一起
RoleBinding/ClusterRoleBinding.
- 将
ServiceAccount 分配给广告连播。
下面是一个可以管理命名空间的例子:
# Create a service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-deployer
namespace: tooling
---
# Create a cluster role that allowed to perform
# ["get", "list", "create", "delete", "patch"] over ["namespaces"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k8s-deployer
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "create", "delete", "patch"]
---
# Associate the cluster role with the service account
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-deployer
# make sure NOT to mention 'namespace' here or
# the permissions will only have effect in the
# given namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8s-deployer
subjects:
- kind: ServiceAccount
name: k8s-deployer
namespace: tooling
之后,您需要像之前那样在 pod spec 中提及服务帐户名称。 documentation.
中有关 RBAC 的更多信息
我正在尝试通过利用 Kubernetes 名称空间的自动化来配置临时环境。我部署在 Kubernetes 中的自动化工作者必须能够创建命名空间。到目前为止,我对此的实验使我无处可去。我需要将哪个绑定附加到服务帐户以允许它控制命名空间?还是我的做法不对?
到目前为止我的代码:
deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: k8s-deployer
namespace: tooling
labels:
app: k8s-deployer
spec:
replicas: 1
selector:
matchLabels:
app: k8s-deployer
template:
metadata:
name: k8s-deployer
labels:
app: k8s-deployer
spec:
serviceAccountName: k8s-deployer
containers: ...
rbac.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-deployer
namespace: tooling
---
# this lets me view namespaces, but not write
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: administer-cluster
subjects:
- kind: ServiceAccount
name: k8s-deployer
namespace: tooling
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
要让 pod 控制 Kubernetes 中的某些东西,您至少需要四件事:
- 创建或 select 现有
Role/ClusterRole(您选择了administer-cluster,我不知道哪些规则)。 - 创建或 select 现有
ServiceAccount(您在命名空间tooling中创建了k8s-deployer)。 - 将两者放在一起
RoleBinding/ClusterRoleBinding. - 将
ServiceAccount分配给广告连播。
下面是一个可以管理命名空间的例子:
# Create a service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-deployer
namespace: tooling
---
# Create a cluster role that allowed to perform
# ["get", "list", "create", "delete", "patch"] over ["namespaces"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k8s-deployer
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "create", "delete", "patch"]
---
# Associate the cluster role with the service account
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-deployer
# make sure NOT to mention 'namespace' here or
# the permissions will only have effect in the
# given namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8s-deployer
subjects:
- kind: ServiceAccount
name: k8s-deployer
namespace: tooling
之后,您需要像之前那样在 pod spec 中提及服务帐户名称。 documentation.