角色(Role)
# Role 常用配置项
为一个角色分配权限。
# 1Role示例
示例 1,只允许该角色对 Pod 进行查看操作(对其它资源的操作皆为拒绝)。
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
示例 2,允许对 Pod 和 Deployment 进行增(create)删(delete)改(patch)查(get)。
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
- apiGroups: ["", "apps"]
resources: ["pods", "deployments", "deployments/scale"]
verbs: ["get", "watch", "list", "create", "patch", "delete"]
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
示例 3,分开设置两个资源的权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "watch"]
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
# rules
# rules.apiGroups(作用的资源范围)
Role 可以作用到哪些资源上,写的是apiVersion字段的父级。
例如:
# 资源组为 apps,则可以作用到 apiVersion 以 apps 开头的任何资源上
# 例如 Deployment、DaemonSet 等(apiVersion: apps/v1)
rules:
- apiGroups: ["apps"]
1
2
3
4
2
3
4
# 资源组父级为空,则可以作用到 apiVersion 父级为空的任何资源上
# 例如 Pod、Service 等(apiVersion: v1)
rules:
- apiGroups: [""]
1
2
3
4
2
3
4
# rules.resources(具体的资源类型)
字段apiGroups决定的是资源范围,而resources决定的是具体的资源类型。
# apiVersion 为 apps 的资源组,其中的 Deployment
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
1
2
3
4
2
3
4
# rules.verbs(具体的权限)
编辑 (opens new window)