操作场景
本文档介绍账号如何在 Kubernetes 集群中如何根据无权限信息创建 RBAC 权限策略,在特定集群中创建权限集合并绑定对应子账号,绑定后子账号将能管理集群下的资源。
报错示例
当子账号没有特定集群的 RBAC 权限并尝试获取资源时,将出现如下报错:
获取 Namespace 下的资源:
获取集群维度下的资源:
前提条件
使用主账号或拥有该集群 RBAC admin 权限的子账号进行授权操作。
操作步骤
1. 登录 容器服务控制台,单击左侧导航栏中的集群。
2. 如果是主账号或者已被授权过 AcquireClusterAdminRole 接口的权限,但并没有该集群的 RBAC admin 权限,可以在集群管理页面,选择目标集群,进入集群详情页。在授权管理 > ClusterRole 中,通过获取集群 Admin 角色进行授权。如下图所示:
3. 在授权管理 > ClusterRole 中,单击 RBAC 策略生成器,选择子账户进行授权。如下图所示:
在新建 ClusterRole 页面,检索对应子账号,单击下一步。
4. 在集群 RBAC 设置中,给子账号授予权限。如下图所示:
Namespace列表:选择是授予 Namespace 级别还是 Cluster 级别的权限。
权限:权限种类分别包含对集群不同范围的权限。
管理员:对所有命名空间下资源的读写权限,拥有集群节点、存储卷、命名空间、配额的读写权限,可配置子账号和权限的读写权限。
运维人员:对所有命名空间下资源的读写权限,拥有集群节点、存储卷、命名空间、配额的读写权限。
开发人员:对所有命名空间或所选命名空间下控制台可见资源的读写权限。
只读用户:对所有命名空间或所选命名空间下控制台可见资源的只读权限。
自定义权限:由您所选择的 ClusterRole 决定,请在确定所选 ClusterRole 对各类资源的操作权限后再进行授权,以免子账号获得不符合预期的权限。
5. 单击完成,完成按策略生成器授予权限的操作。
权限示例
集群 Admin
apiVersion: "rbac.authorization.k8s.io/v1beta1"kind: "ClusterRole"metadata:name: "tke:admin"labels:cloud.tencent.com/tke-rbac-generated: "true"rules:-apiGroups:- "*"resources:- "*"verbs:- "*"-nonResourceURLs:- "*"verbs:- "*"
集群运维管理人员
apiVersion: "rbac.authorization.k8s.io/v1beta1"kind: "ClusterRole"metadata:name: "tke:ops"labels:cloud.tencent.com/tke-rbac-generated: "true"rules:-apiGroups:- ""resources:- "pods"- "pods/attach"- "pods/exec"- "pods/portforward"- "pods/proxy"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- ""resources:- "configmaps"- "endpoints"- "persistentvolumeclaims"- "replicationcontrollers"- "replicationcontrollers/scale"- "secrets"- "serviceaccounts"- "services"- "services/proxy"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- ""resources:- "bindings"- "events"- "limitranges"- "namespaces/status"- "replicationcontrollers/status"- "pods/log"- "pods/status"- "resourcequotas"- "resourcequotas/status"- "componentstatuses"verbs:- "get"- "list"- "watch"-apiGroups:- ""resources:- "namespaces"- "nodes"- "persistentvolumes"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "apps"resources:- "daemonsets"- "deployments"- "deployments/rollback"- "deployments/scale"- "replicasets"- "replicasets/scale"- "statefulsets"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "autoscaling"resources:- "horizontalpodautoscalers"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "autoscaling.cloud.tencent.com"resources:- "horizontalpodcronscalers"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "batch"resources:- "cronjobs"- "jobs"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "extensions"- "networking.k8s.io"resources:- "daemonsets"- "deployments"- "deployments/rollback"- "deployments/scale"- "ingresses"- "replicasets"- "replicasets/scale"- "replicationcontrollers/scale"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "servicecatalog.k8s.io"resources:- "clusterserviceclasses"- "clusterserviceplans"- "clusterservicebrokers"- "serviceinstances"- "servicebindings"verbs:- "create"- "delete"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "servicecatalog.k8s.io"resources:- "clusterservicebrokers/status"- "clusterserviceclasses/status"- "clusterserviceplans/status"- "serviceinstances/status"- "serviceinstances/reference"- "servicebindings/status"verbs:- "update"-apiGroups:- "storage.k8s.io"resources:- "storageclasses"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "policy"resources:- "poddisruptionbudgets"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "networking.istio.io"- "config.istio.io"- "rbac.istio.io"- "authentication.istio.io"- "install.istio.io"- "security.istio.io"resources:- "*"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "apiextensions.k8s.io"resources:- "customresourcedefinitions"verbs:- "get"- "list"- "create"- "watch"- "patch"- "update"- "delete"- "deletecollection"-apiGroups:- "networking.tke.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "create"- "watch"- "patch"- "update"- "delete"- "deletecollection"-apiGroups:- "cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "create"- "watch"- "patch"- "update"- "delete"- "deletecollection"-apiGroups:- "ccs.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "create"- "watch"- "patch"- "update"- "delete"- "deletecollection"-apiGroups:- "cls.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "create"- "watch"- "patch"- "update"- "delete"- "deletecollection"
集群开发人员
---apiVersion: "rbac.authorization.k8s.io/v1beta1"kind: "ClusterRole"metadata:name: "tke:dev"labels:cloud.tencent.com/tke-rbac-generated: "true"rules:-apiGroups:- ""resources:- "pods"- "pods/attach"- "pods/exec"- "pods/portforward"- "pods/proxy"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- ""resources:- "configmaps"- "endpoints"- "persistentvolumeclaims"- "replicationcontrollers"- "replicationcontrollers/scale"- "secrets"- "serviceaccounts"- "services"- "services/proxy"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- ""resources:- "events"- "replicationcontrollers/status"- "pods/log"- "pods/status"- "componentstatuses"verbs:- "get"- "list"- "watch"-apiGroups:- ""resources:- "namespaces"- "nodes"- "persistentvolumes"verbs:- "get"- "list"- "watch"-apiGroups:- "apps"resources:- "daemonsets"- "deployments"- "deployments/rollback"- "deployments/scale"- "replicasets"- "replicasets/scale"- "statefulsets"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "autoscaling"resources:- "horizontalpodautoscalers"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "autoscaling.cloud.tencent.com"resources:- "horizontalpodcronscalers"verbs:- "get"- "list"- "watch"-apiGroups:- "batch"resources:- "cronjobs"- "jobs"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "extensions"- "networking.k8s.io"resources:- "daemonsets"- "deployments"- "deployments/rollback"- "deployments/scale"- "ingresses"- "replicasets"- "replicasets/scale"- "replicationcontrollers/scale"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "servicecatalog.k8s.io"resources:- "clusterserviceclasses"- "clusterserviceplans"- "clusterservicebrokers"- "serviceinstances"- "servicebindings"verbs:- "create"- "delete"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "servicecatalog.k8s.io"resources:- "clusterservicebrokers/status"- "clusterserviceclasses/status"- "clusterserviceplans/status"- "serviceinstances/status"- "serviceinstances/reference"- "servicebindings/status"verbs:- "update"-apiGroups:- "storage.k8s.io"resources:- "storageclasses"verbs:- "get"- "list"- "watch"-apiGroups:- "policy"resources:- "poddisruptionbudgets"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "networking.istio.io"- "config.istio.io"- "rbac.istio.io"- "authentication.istio.io"- "security.istio.io"- "install.istio.io"resources:- "*"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "apiextensions.k8s.io"resources:- "customresourcedefinitions"verbs:- "get"- "list"- "create"- "watch"- "patch"- "update"- "delete"- "deletecollection"-apiGroups:- "networking.tke.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "ccs.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "cls.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"
集群指定Namespace开发人员
apiVersion: "rbac.authorization.k8s.io/v1beta1"kind: "ClusterRole"metadata:name: "tke:ns:dev"labels:cloud.tencent.com/tke-rbac-generated: "true"rules:-apiGroups:- ""resources:- "pods"- "pods/attach"- "pods/exec"- "pods/portforward"- "pods/proxy"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- ""resources:- "configmaps"- "endpoints"- "persistentvolumeclaims"- "replicationcontrollers"- "replicationcontrollers/scale"- "secrets"- "serviceaccounts"- "services"- "services/proxy"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- ""resources:- "nodes"- "persistentvolumes"- "events"- "replicationcontrollers/status"- "pods/log"- "pods/status"verbs:- "get"- "list"- "watch"-apiGroups:- "apps"resources:- "daemonsets"- "deployments"- "deployments/rollback"- "deployments/scale"- "replicasets"- "replicasets/scale"- "statefulsets"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "autoscaling"resources:- "horizontalpodautoscalers"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "autoscaling.cloud.tencent.com"resources:- "horizontalpodcronscalers"verbs:- "get"- "list"- "watch"-apiGroups:- "batch"resources:- "cronjobs"- "jobs"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "extensions"- "networking.k8s.io"resources:- "daemonsets"- "deployments"- "deployments/rollback"- "deployments/scale"- "ingresses"- "replicasets"- "replicasets/scale"- "replicationcontrollers/scale"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "servicecatalog.k8s.io"resources:- "clusterserviceclasses"- "clusterserviceplans"- "clusterservicebrokers"- "serviceinstances"- "servicebindings"verbs:- "create"- "delete"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "servicecatalog.k8s.io"resources:- "clusterservicebrokers/status"- "clusterserviceclasses/status"- "clusterserviceplans/status"- "serviceinstances/status"- "serviceinstances/reference"- "servicebindings/status"verbs:- "update"-apiGroups:- "storage.k8s.io"resources:- "storageclasses"verbs:- "get"- "list"- "watch"-apiGroups:- "policy"resources:- "poddisruptionbudgets"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "networking.istio.io"- "config.istio.io"- "rbac.istio.io"- "authentication.istio.io"- "security.istio.io"- "install.istio.io"resources:- "*"verbs:- "create"- "delete"- "deletecollection"- "get"- "list"- "patch"- "update"- "watch"-apiGroups:- "apiextensions.k8s.io"resources:- "customresourcedefinitions"verbs:- "get"- "list"- "create"- "watch"- "patch"- "update"- "delete"- "deletecollection"-apiGroups:- "networking.tke.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "ccs.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "cls.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"
集群只读人员
apiVersion: "rbac.authorization.k8s.io/v1beta1"kind: "ClusterRole"metadata:name: "tke:ro"labels:cloud.tencent.com/tke-rbac-generated: "true"rules:-apiGroups:- ""resources:- "pods"- "pods/attach"- "pods/exec"- "pods/portforward"- "pods/proxy"verbs:- "get"- "list"- "watch"-apiGroups:- ""resources:- "configmaps"- "endpoints"- "persistentvolumeclaims"- "replicationcontrollers"- "replicationcontrollers/scale"- "secrets"- "serviceaccounts"- "services"- "services/proxy"verbs:- "get"- "list"- "watch"-apiGroups:- ""resources:- "nodes"- "persistentvolumes"verbs:- "get"- "list"- "watch"-apiGroups:- ""resources:- "events"- "replicationcontrollers/status"- "pods/log"- "pods/status"- "componentstatuses"verbs:- "get"- "list"- "watch"-apiGroups:- "apps"resources:- "daemonsets"- "deployments"- "deployments/rollback"- "deployments/scale"- "replicasets"- "replicasets/scale"- "statefulsets"verbs:- "get"- "list"- "watch"-apiGroups:- "autoscaling"resources:- "horizontalpodautoscalers"verbs:- "get"- "list"- "watch"-apiGroups:- "autoscaling.cloud.tencent.com"resources:- "horizontalpodcronscalers"verbs:- "get"- "list"- "watch"-apiGroups:- "storage.k8s.io"resources:- "storageclasses"verbs:- "get"- "list"- "watch"-apiGroups:- "batch"resources:- "cronjobs"- "jobs"verbs:- "get"- "list"- "watch"-apiGroups:- "extensions"- "networking.k8s.io"resources:- "daemonsets"- "deployments"- "deployments/rollback"- "deployments/scale"- "ingresses"- "replicasets"- "replicasets/scale"- "replicationcontrollers/scale"verbs:- "get"- "list"- "watch"-apiGroups:- "servicecatalog.k8s.io"resources:- "clusterserviceclasses"- "clusterserviceplans"- "clusterservicebrokers"- "serviceinstances"- "servicebindings"verbs:- "get"- "list"- "watch"-apiGroups:- "policy"resources:- "poddisruptionbudgets"verbs:- "get"- "list"-apiGroups:- "networking.istio.io"- "config.istio.io"- "rbac.istio.io"- "authentication.istio.io"- "security.istio.io"- "install.istio.io"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "apiextensions.k8s.io"resources:- "customresourcedefinitions"verbs:- "get"- "list"- "watch"-apiGroups:- "networking.tke.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "ccs.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "cls.cloud.tencent.com"resources:- "*"verbs:- "get"- "list"- "watch"
集群指定Namespace只读人员
apiVersion: "rbac.authorization.k8s.io/v1beta1"kind: "ClusterRole"metadata:name: "tke:ns:ro"labels:cloud.tencent.com/tke-rbac-generated: "true"rules:-apiGroups:- ""resources:- "pods"- "pods/attach"- "pods/exec"- "pods/portforward"- "pods/proxy"verbs:- "get"- "list"- "watch"-apiGroups:- ""resources:- "nodes"- "persistentvolumes"verbs:- "get"- "list"- "watch"-apiGroups:- ""resources:- "configmaps"- "endpoints"- "persistentvolumeclaims"- "replicationcontrollers"- "replicationcontrollers/scale"- "secrets"- "serviceaccounts"- "services"- "services/proxy"verbs:- "get"- "list"- "watch"-apiGroups:- ""resources:- "events"- "replicationcontrollers/status"- "pods/log"- "pods/status"verbs:- "get"- "list"- "watch"-apiGroups:- "apps"resources:- "daemonsets"- "deployments"- "deployments/rollback"- "deployments/scale"- "replicasets"- "replicasets/scale"- "statefulsets"verbs:- "get"- "list"- "watch"-apiGroups:- "autoscaling"resources:- "horizontalpodautoscalers"verbs:- "get"- "list"- "watch"-apiGroups:- "autoscaling.cloud.tencent.com"resources:- "horizontalpodcronscalers"verbs:- "get"- "list"- "watch"-apiGroups:- "batch"resources:- "cronjobs"- "jobs"verbs:- "get"- "list"- "watch"-apiGroups:- "extensions"- "networking.k8s.io"resources:- "daemonsets"- "deployments"- "deployments/rollback"- "deployments/scale"- "ingresses"- "replicasets"- "replicasets/scale"- "replicationcontrollers/scale"verbs:- "get"- "list"- "watch"-apiGroups:- "servicecatalog.k8s.io"resources:- "clusterserviceclasses"- "clusterserviceplans"- "clusterservicebrokers"- "serviceinstances"- "servicebindings"verbs:- "get"- "list"- "watch"-apiGroups:- "policy"resources:- "poddisruptionbudgets"verbs:- "get"- "list"-apiGroups:- "networking.istio.io"- "config.istio.io"- "rbac.istio.io"- "authentication.istio.io"- "security.istio.io"- "install.istio.io"resources:- "*"verbs:- "get"- "list"- "watch"-apiGroups:- "apiextensions.k8s.io"resources:- "customresourcedefinitions"verbs:- "get"- "list"- "watch"
