我想创建 kubernetes 服务帐户和角色/rbac,它们将授予补丁/更新部署注释的权限。服务帐户不应该能够对 Kubernetes 部署执行任何其他更新。它应该仅对元数据部分具有升级和修补权限。
【问题讨论】:
标签: kubernetes kubernetes-deployment kubernetes-security kubernetes-rbac
我会给你一个例子,告诉你如何根据你的需要创建你的服务帐户,你可以拿我的例子来轻松修改,它看起来像这样:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role # it can be ClusterRole if you want your service account for all nodes and across all namespaces
metadata:
namespace: default # if can specify any your working namespace
name: depl-patch-role
rules:
- apiGroups: [""] # "" indicates the core API group, you can set any specific group
resources: ["deployments"]
verbs: ["update", "patch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: depl-patch-sa
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: depl-patch-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: depl-patch-sa
apiGroup: "" # same as above
roleRef:
kind: Role
name: depl-patch-role
apiGroup: ""
希望这会有所帮助。您可以在official documentation中找到有关角色/rbac 的更多信息
【讨论】: