我有一组users(dev-team)只需要访问dev和qa命名空间的人。我创建了一个服务帐户、集群角色和集群角色绑定,如下所示。
服务帐号
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-team
集群角色
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: dev-team-users
rules:
- apiGroups: ["rbac.authorization.k8s.io",""]
resources: ["namespaces"]
resourceNames: ["dev","qa"]
verbs: ["get","list","create"]
集群角色绑定
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dev-team-user-bindings
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dev-team-users
subjects:
- kind: User
name: dev-team
namespace: kube-system
apiGroup: rbac.authorization.k8s.io
当我尝试验证访问权限时
kubectl get namespaces --as=dev-team
我收到以下错误消息
Error from server (Forbidden): namespaces is forbidden: User "dev-team" cannot list resource "namespaces" in API group …