RBAC


概览

在启用 RBAC 的集群上,您需要为您的用户/组提供功能,以便他们可以使用 K9s 来探索他们的 Kubernetes 集群。K9s 需要在集群和命名空间级别上至少具有读取权限,以显示资源和指标。

以下规则仅供参考。您需要根据您的环境策略进行自定义。如果您需要编辑/删除资源,则需要额外的权限。


集群/命名空间访问权限在未来可能会更改,因为 K9s 在不断演进。


ClusterRole

---
# K9s Reader ClusterRole
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: k9s
rules:
  # 授予对集群资源节点和命名空间的只读权限
  - apiGroups: [""]
    resources: ["nodes", "namespaces", "persistentvolumes"]
    verbs: ["get", "list", "watch"]
  # 授予对 RBAC 资源的只读权限
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterroles", "roles", "clusterrolebindings", "rolebindings"]
    verbs: ["get", "list", "watch"]
  # 授予对 CRD 资源的只读权限
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch"]
  # 授予对指标服务器的只读权限(如果存在)
  - apiGroups: ["metrics.k8s.io"]
    resources: ["nodes", "pods"]
    verbs: ["get", "list", "watch"]

---
# 示例 K9s 用户 ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k9s
subjects:
  - kind: User
    name: fernand
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: k9s
  apiGroup: rbac.authorization.k8s.io

Role

如果您的用户受限于特定的命名空间,K9s 将需要以下角色来启用对命名空间资源的读取访问权限。

---
# K9s Reader Role (default namespace)
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: k9s
  namespace: default
rules:
  # 授予对大多数命名空间资源的只读权限
  - apiGroups: ["", "apps", "autoscaling", "batch", "extensions"]
    resources: ["*]
    verbs: ["get", "list", "watch"]
  # 授予对指标服务器的只读权限
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs:
      - get
      - list
      - watch

---
# 示例 K9s 用户 RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: k9s
  namespace: default
subjects:
  - kind: User
    name: fernand
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: k9s
  apiGroup: rbac.authorization.k8s.io

 返回


© 2020 Imhotep Software LLC. 所有材料均根据 Apache v2.0 许可证授权