English 中文(简体)
Kubernetes RBAC不提供获得资源的机会
原标题:Kubernetes RBAC not giving access to resource

I m试图让用户使用RBAC获得特定资源。 我在同一个名称空间下确定了一种作用和一种具有约束力的作用。 尽管确定使用这一名称空间和用户的背景,但用户无法获得这一资源。

作用:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: l
rules:
- apiGroups: [v1]
  resources: [secrets]
  verbs: [get, list, create, update, patch, delete]
- apiGroups: [v1]
  resources: [pods]
  verbs: [get, watch, list]

Rolebinding:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: l
  namespace: default
subjects:
- kind: User
  name: l
  namespace: default
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: l
  apiGroup: rbac.authorization.k8s.io

背景:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: xx
    server: xx
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    namespace: default
    user: l
  name: l
current-context: l
kind: Config
preferences: {}
users:
- name: l
  user:
    client-certificate-data: xx
    client-key-data: xx

Verifying a lack of permissions:

kubectl get pods --kubeconfig=l/l-k8s-config
Error from server (Forbidden): pods is forbidden: User "l" cannot list resource "pods" in API group "" in the namespace "default"
kubectl get secrets --kubeconfig=l/l-k8s-config
Error from server (Forbidden): secrets is forbidden: User "l" cannot list resource "secrets" in API group "" in the namespace "default"
kubectl auth can-i get secrets -n default --kubeconfig=l/l-k8s-config
no

Edit:由于我正在使用较老版本的Kubernetes, 1.21.10,我的特殊问题通过确定每个潜伏器到远距:[]而不是“”来解决,正如接受的解决办法所表明的那样。

最佳回答

Each resource in Kubernetes has both an api group and an api version. When see see something like:

apiVersion: apps/v1

<代码>apps为这一组,v1为本。

经常资源 秘密等,没有复印机组,版本为v1。 当你发挥作用时,你需要制定<代码>apiGroup至>>。 例如,研究违约的<代码>edit/code>作用,包括:

rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch

You need to update your role so that it reads:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: myrole
rules:
- apiGroups: [""]
  resources: [secrets]
  verbs: [get, list, create, update, patch, delete]
- apiGroups: [""]
  resources: [pods]
  verbs: [get, watch, list]

这在你在问世时所表现的错误信息中都是明确的:

用户“l”不能将资源“pods”列入“>API”组“>/strong”名称为“default”

时间:2023-12-19 01:41:34
问题回答

暂无回答


上一篇:
下一篇:


相关问题
RBAC Access Control in tree structure

I am implimenting role based access control in a tree structure (organization) that normally would be stored in LDAP but this time is in MySQL. Part of my requirement is to give people acccess to part ...

时间:2010-08-08 06:18:39 回答:1 展示:1
Role Based Access Control (RBAC) - .Net Component [closed]

In my job we are trying to consolidate the Authentication of the application farm with Windows Identity Fundation (WIF) or some custom component based in Membership Provider. With this, we need to ...

时间:2010-07-20 13:41:22 回答:3 展示:1
Programmatic authentication in Java EE 6

is it possible to authenticate programmatically a user in Java EE 6? Let me explain with some more details: I ve got an existing Java SE project with Servlets and hibernate; where I manage manually ...

时间:2010-05-14 09:20:45 回答:3 展示:1
Visual modelling of permissions

I have come into the habit of hand-sketching various diagrams for software I create. My software is mostly for the web. I use E-R diagramming for the data logic (model of MVC) , and a personally ...

时间:2010-02-08 07:34:40 回答:2 展示:1
Access control design patterns

I m working on a PHP application, and I d like to add access control to some of my objects. I didn t tag this question as PHP, as I feel this question is not language specific. Say I have a Service ...

时间:2009-12-17 11:10:05 回答:3 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全