限制ServiceAccount /角色来管理所有集群中的机密
限制ServiceAccount /角色来管理所有集群中的机密
提问于 2019-12-17 09:12:08
我试图限制ServiceAccount的RBAC权限来管理所有命名空间中的秘密:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-secrets-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- gitlab-registry
verbs:
- get
- list
- create
- update
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab-service-account
namespace: gitlab
secrets:
- name: gitlab-service-account-token-lllll
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-service-account-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gitlab-secrets-manager
subjects:
- kind: ServiceAccount
name: gitlab-service-account
namespace: gitlab到目前为止,我已经创建了ServiceAccount和相关的CRB,但是,操作失败了:
secrets "gitlab-registry" is forbidden: User "system:serviceaccount:gitlab:default" cannot get resource "secrets" in API group "" in the namespace "shamil"有人知道我错过了什么吗?
回答 1
Stack Overflow用户
回答已采纳
发布于 2019-12-18 06:19:06
您可以执行以下步骤:
首先,需要确保集群中名为
- 的服务帐户
gitlab-service-account存在。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-secrets-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- gitlab-registry
verbs:
- get
- list
- create
- update然后,您还将创建一个在集群级别授予权限的
- .
。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-secrets-manager-clusterrolebinding
subjects:
- kind: ServiceAccount
name: gitlab-service-account
namespace: gitlab
roleRef:
kind: ClusterRole
name: gitlab-secrets-manager
apiGroup: rbac.authorization.k8s.io页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/59370907
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号