云容器引擎 CCE-命名空间权限(Kubernetes RBAC授权):示例:授予命名空间全部权限(admin)
示例:授予命名空间全部权限(admin)
admin权限拥有命名空间全部权限,您可以给某个或全部命名空间授权。
如果使用kubectl查看可以看到创建了一个RoleBinding,将admin和cce-role-group这个用户组绑定了起来,且权限范围是default这个命名空间。
# kubectl get rolebindingNAME ROLE AGEclusterrole_admin_group0c96fad22880f32a3f84c009862af6f7 ClusterRole/admin 18s# kubectl get rolebinding clusterrole_admin_group0c96fad22880f32a3f84c009862af6f7 -oyamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: annotations: CCE.com/ IAM : "true" creationTimestamp: "2021-06-24T01:30:08Z" name: clusterrole_admin_group0c96fad22880f32a3f84c009862af6f7 namespace: default resourceVersion: "36963685" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/clusterrole_admin_group0c96fad22880f32a3f84c009862af6f7 uid: 6c6f46a6-8584-47da-83f5-9eef1f7b75d6roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: adminsubjects:- apiGroup: rbac.authorization.k8s.io kind: Group name: 0c96fad22880f32a3f84c009862af6f7
使用被授予用户连接集群,您会发现可以查询和创建default命名空间的资源,但无法查询kube-system命名空间资源,也无法查询集群级别的资源。
# kubectl get podNAME READY STATUS RESTARTS AGEtest-568d96f4f8-brdrp 1/1 Running 0 33mtest-568d96f4f8-cgjqp 1/1 Running 0 33m# kubectl get pod -nkube-systemError from server (Forbidden): pods is forbidden: User "0c97ac3cb280f4d91fa7c0096739e1f8" cannot list resource "pods" in API group "" in the namespace "kube-system"# kubectl get pvError from server (Forbidden): persistentvolumes is forbidden: User "0c97ac3cb280f4d91fa7c0096739e1f8" cannot list resource "persistentvolumes" in API group "" at the cluster scope