Home未分类kubernetes 用户扮演 API

kubernetes 用户扮演 API

2010 年 5 月 6 日

配置扮演用户的权限

默认情况下大部分 user 或 serviceaccount 都是没有扮演用户的权限的,可以通过 RBAC 的方式配置权限。

简单来说就是需要为发起扮演的用户绑定一个拥有 impersonate
权限的 ClusterRole

可以扮演 user、group、serviceaccount 的 ClusterRole
例子: 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: impersonator
rules:
- apiGroups: [""]
  resources: ["users", "groups", "serviceaccounts"]
  verbs: ["impersonate"]


Impersonate-Extra-(
extra name )
header 支持的 (extra name)
也是需要绑定相应的 ClusterRole

比如下面的 ClusterRole
表示可以在扮演是设置
Impersonate-Extra-scopes

header,其中的 scopes
就是在下面的 resources
里定义的: 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scopes-impersonator
rules:
# Can set "Impersonate-Extra-scopes" header.
- apiGroups: ["authentication.k8s.io"]
  resources: ["userextras/scopes"]
  verbs: ["impersonate"]

同时还可以通过 resourceNames
的值限制 header 的有效值,例子: 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: limited-impersonator
rules:
# Can impersonate the user "jane.doe@example.com"
- apiGroups: [""]
  resources: ["users"]
  verbs: ["impersonate"]
  resourceNames: ["jane.doe@example.com"]

# Can impersonate the groups "developers" and "admins"
- apiGroups: [""]
  resources: ["groups"]
  verbs: ["impersonate"]
  resourceNames: ["developers","admins"]

# Can impersonate the extras field "scopes" with the values "view" and "development"
- apiGroups: ["authentication.k8s.io"]
  resources: ["userextras/scopes"]
  verbs: ["impersonate"]
  resourceNames: ["view", "development"]

Related Posts

About The Author

fenny