我想创建 kubernetes 服务帐户和角色/rbac,这将授予修补/更新部署注释的权限。服务帐户不应该能够对 Kubernetes 部署执行任何其他更新。它应该仅对元数据部分具有升级和修补权限。
1 回答
0
我将为您提供一个示例,说明如何根据需要创建服务帐户,您可以使用我的示例并轻松修改,它看起来像这样:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role # it can be ClusterRole if you want your service account for all nodes and across all namespaces
metadata:
namespace: default # if can specify any your working namespace
name: depl-patch-role
rules:
- apiGroups: [""] # "" indicates the core API group, you can set any specific group
resources: ["deployments"]
verbs: ["update", "patch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: depl-patch-sa
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: depl-patch-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: depl-patch-sa
apiGroup: "" # same as above
roleRef:
kind: Role
name: depl-patch-role
apiGroup: ""
希望这可以帮助。您可以在官方文档中找到有关角色/rbac 的更多信息
于 2021-12-24T11:04:04.577 回答