当前位置：首页 > news >正文

横沥建设网站菠菜网站怎么做推广

news 2025/12/7 9:25:50

横沥建设网站,菠菜网站怎么做推广,保定学校网站建设,平陆县做网站文章目录权限精细化分配---通过sa和自建角色实现权限精细化分配1.新建sa2.建立一个角色#xff0c;并将该角色绑定到sa上3.授权namespace的权限,设置ClusterRole和ClusterRolebinding 权限精细化分配—通过sa和自建角色实现权限精细化分配 1.新建sa kubectl create sa lish… 文章目录权限精细化分配---通过sa和自建角色实现权限精细化分配1.新建sa2.建立一个角色并将该角色绑定到sa上3.授权namespace的权限,设置ClusterRole和ClusterRolebinding 权限精细化分配—通过sa和自建角色实现权限精细化分配 1.新建sa kubectl create sa lishanbin -n planck2.建立一个角色并将该角色绑定到sa上角色role-sa 具有的权限仅仅是namespace planck内的所有pod的查看权限以及deployment的查看权限无权删除修改这些资源 [rootk8s-master ~]# cat sa-role-binding.yaml #k8s 1.22.10 kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata:name: role-sanamespace: planck #指定 Namespace rules: #权限分配- apiGroups: []resources: [pods]verbs: [get, watch, list]- apiGroups: []resources: [pods/log]verbs: [get,list,watch]- apiGroups: []resources: [pods/attach]verbs: [get,list,watch]- apiGroups: []resources: [pods/exec]verbs: [get,list,watch]- apiGroups: []resources: [pods/status]verbs: [get,list,watch]- apiGroups: []resources: [podtemplates]verbs: [get,list,watch]- apiGroups: [extensions, apps]resources: [deployments,statefulsets]verbs: [get, list, watch]- apiGroups: []resources: [configmaps]verbs: [get, list, watch]- apiGroups: []resources: [endpoints]verbs: [get, list, watch]- apiGroups: []resources: [events]verbs: [get, list, watch]- apiGroups: []resources: [replicationcontrollers]verbs: [get, list, watch]- apiGroups: []resources: [replicationcontrollers/status]verbs: [get]- apiGroups: []resources: [services]verbs: [get, list, watch]- apiGroups: []resources: [services/status]verbs: [get, list, watch] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata:name: rbac-role-bindingnamespace: planck #指定 Namespace subjects:- kind: ServiceAccountname: lishanbin #指定 ServiceAccountnamespace: planck #指定 Namespace roleRef:kind: Rolename: role-saapiGroup: rbac.authorization.k8s.io3.授权namespace的权限,设置ClusterRole和ClusterRolebinding 为什么要授权是因为sa内的secrets里的token只有在dashboard内使用而上面的角色和角色绑定都是dev这个namespace内的这样绑定后拿到token才可以登录到dashboard的首页否则都无法选择namespace。 cat rbac-cluster-role-binding.yaml #k8s 1.22.10 kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata:name: rbac-namespace-role rules:- apiGroups: [] #配置权限配置其只用于 namespace 的 list 权限resources: [namespaces]verbs: [list]- apiGroups: []resources: [namespaces/status]verbs: [get] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata:name: rbac-default-role-binding subjects:- kind: ServiceAccountname: lishanbin #配置为自定义的 ServiceAccountnamespace: planck #指定为服务账户所在的 Namespace roleRef:kind: ClusterRolename: rbac-namespace-role #配置上面的 RoleapiGroup: rbac.authorization.k8s.iokubectl -n planck describe secret $(kubectl get secret -n planck | grep lishanbin | awk {print $1})kubernetes的dashboard提供Token和kubeconfig两种认证方式因此上面拿到token以后可以通过token进行访问planck这个ns下的资源了。

查看全文

http://wiki.neutronadmin.com/news/89440/