wta*_*yeb 5 rbac kubernetes kubectl
人们可以创建Role或ClusterRole并通过分配给用户RoleBinding或ClusterRoleBinding。
从具有令牌的用户视图中,如何通过 获取应用于他的所有授予的权限或角色\角色绑定kubectl?
rok*_*rok 19
我认为您正在寻找kubectl auth can-i --list列出所有用户权限的命令:
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
persistentvolumeclaims [] [] [get list watch create delete deletecollection patch update]
pods/exec [] [] [get list watch create delete deletecollection patch update]
pods [] [] [get list watch create delete deletecollection patch update]
events [] [] [get list watch]
pods/log [] [] [get list watch]
configmaps [] [] [get watch list]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [global-unrestricted-psp] [use]
您还可以通过添加来查看其他用户权限--as=[user-name]
例如:kubectl auth can-i --list --as=jenkins
至于更精细的角色信息,每个服务帐户的集群角色或允许在特定资源上执行的特定操作(动词)请参考此答案。
Sur*_*noi 10
# Check to see if I can do everything in my current namespace ("*" means all)
kubectl auth can-i '*' '*'
# Check to see if I can create pods in any namespace
kubectl auth can-i create pods --all-namespaces
# Check to see if I can list deployments in my current namespace
kubectl auth can-i list deployments.extensions
您可以使用kubectl auth --help命令获取更多信息
您还可以冒充其他用户使用以下标志--as或--as-group
kubectl auth can-i create deployments --namespace default --as john.cena
| 归档时间: |
|
| 查看次数: |
6479 次 |
| 最近记录: |