Use context: kubectl config use-context k8s-c1-H

Create a new ServiceAccount processor in Namespace project-hamster . Create a Role and RoleBinding, both named processor as well. These should allow the new SA to only create Secrets and ConfigMaps in that Namespace.

译文

在namespace project-hamster 中创建一个新的 ServiceAccount processor 。创建一个 角色 和 RoleBinding ,这两个都是命名的 processor 。这些应该允许新的 SA 只在该命名空间中创建 SecretsConfigMaps

解答

有4种不同的RBAC组合和3种有效的组合。

  1. Role + RoleBinding(适用于单一命名空间,适用于单个命名空间)
  2. ClusterRole + ClusterRoleBinding (全集群可用,适用于整个集群)
  3. ClusterRole + RoleBinding(全集群可用,适用于单个命名空间)
  4. Role + ClusterRoleBinding(不可用:在单个命名空间中可用,适用于整个集群)
k config use-context k8s-c1-H

创建ServiceAccount,role

k -n project-hamster create sa processor
k -n project-hamster create role processor \
  --verb=create \
  --resource=secret \
  --resource=configmap

创建 rolebinding

k -n project-hamster create rolebinding processor \
  --role processor \
  --serviceaccount project-hamster:processor

验证

k -n project-hamster auth can-i create secret \
  --as system:serviceaccount:project-hamster:processor

k -n project-hamster auth can-i create configmap \
  --as system:serviceaccount:project-hamster:processor

k -n project-hamster auth can-i create pod \
  --as system:serviceaccount:project-hamster:processor

k -n project-hamster auth can-i delete secret \
  --as system:serviceaccount:project-hamster:processor

k -n project-hamster auth can-i get configmap \
  --as system:serviceaccount:project-hamster:processor

rbac-2-0