我想知道我是否可以限制开发人员的访问权限,我们只想允许开发人员列出 pod 并检查日志,而不允许 ssh 进入 pod,这可行吗?这是我尝试过的,但似乎不起作用。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: developer-role
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: [""]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: developer-role
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: developer-role
subjects:
- kind: Group
name: developer_customized
答案1
资源 pods/exec 的空动词集不授予任何访问权限,但也不拒绝访问权限。这取决于其他配置。
为了有效地拒绝访问,你应该删除 pods/exec 的行
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: developer-role
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
答案2
根据您的 YAML 文件,您可能需要尝试为 pod/exec 添加动词 get:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: developer-role
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: developer-role
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: developer-role
subjects:
- kind: Group
name: developer_customized
如果不起作用,请确保组成员身份正确且没有任何冲突ClusterRole。您可以使用命令kubectl get events获取有关集群的更多信息。