我的1.9群集为开发者用户创建了这个部署角色.部署按预期工作.现在我想给exec和日志访问开发人员.我需要为exec添加什么角色?
kind: Role
name: deployment-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
错误信息:
kubectl exec nginx -it -- sh
Error from server (Forbidden): pods "nginx" is forbidden: User "dev" cannot create pods/exec in the namespace "dev"
谢谢SR
Jos*_*sto 19
大多数资源都由其名称的字符串表示形式表示,例如"pods",就像它出现在相关API端点的URL中一样.但是,一些Kubernetes API涉及"子资源",例如pod的日志.[...]要以RBAC角色表示,请使用斜杠来分隔资源和子资源.
要允许主题读取pod和pod日志,并且能够执行到pod中,您可以写:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-and-pod-logs-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
| 归档时间: |
|
| 查看次数: |
6938 次 |
| 最近记录: |