rbac.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-account
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
namespace: default
name: my-role
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["create", "delete", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-cluster-role-binding
namespace: default
subjects:
- kind: ServiceAccount
name: my-account
namespace: default
roleRef:
kind: ClusterRole
name: my-role
apiGroup: rbac.authorization.k8s.io
我尝试后kubectl apply -f rbac.yaml
:
user@host> kubectl auth can-i create pods --as=my-account
no
我的 yaml 有什么问题?
环境:新的 minikube。
答案1
我发现了错误。--as=..
错误部分如下:
这有效:
kubectl auth can-i create pod --as=system:serviceaccount:default:my-account