一般选择角色与主体进行绑定
当角色可以做什么事情的时候,主体就可以做什么操作
kubectl create ns roletest
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-dep
namespace: roletest
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: roletest
name: Pod-role
rules:
- apiGroups: [""]
resources: ["pods"] # 只对pods有权限
verbs: ["get","watch","list"] # 只拥有get watch list权限
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: roletest
subjects:
- kind: User
name: alex
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: Pod-role
apiGroup: rbac.authorization.k8s.io