题目:
Create a new ClusterRole named deployment-clusterrole which only allows to create the following resource types.
Deployment
StatefulSet
DaemonSet
Create a new ServiceAccount named cicd-token in the existing namespace app-team1 .
Bind the new ClusterRole deployment-cluster role to the new ServiceAccount cicd-token , limited to the namespace app-team1
参考: https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/
root@k8s-master:~# cat clusterrole-demo.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" 被忽略,因为 ClusterRoles 不受名字空间限制
name: deployment-clusterrole
rules:
- apiGroups: [""]
# 在 HTTP 层面,用来访问 Secret 资源的名称为 "secrets"
resources: ["deployments","statefullsets","daemonsets"]
verbs: ["create"]
root@k8s-master:~# kubectl create -f clusterrole-demo.yml
clusterrole.rbac.authorization.k8s.io/deployment-clusterrole created
root@k8s-master:~# kubectl create ns app-team1
namespace/app-team1 created
root@k8s-master:~# kubectl create sa cicd-token
serviceaccount/cicd-token created
root@k8s-master:~# kubectl create clusterrolebinding role-admin --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
clusterrolebinding.rbac.authorization.k8s.io/role-admin created