RBAC: 保留对”list”的权限,限制按名称列出多个密钥。

huangapple go评论66阅读模式
英文:

RBAC: keep the rights to the "list" of secrets and restrict the "list" of several secrets by name

问题

我有一个无法访问代码的运算符
默认情况下,该运算符需要具有列出所有机密的权限,没有“资源名称”限制
我不能授予这样的权限。 有没有办法保留列出所有机密的权限并禁止按名称列出多个机密

我尝试过给予具有resourceNames的列出权限,但是运算符不接受这种行为,并在启动时写入错误信息

无法列出v1.Secret:禁止机密:用户“system:serviceaccount:operator-*****"”无法在命名空间“namespace-name”中列出API组“”中的资源“secrets”。

英文:

I have an operator whose code is not accessible
By default, the operator requires the rights to list all secrets with no "resource Names" restriction
I can't grant such rights. Is there anyway to keep the rights to list all secrets and prohibit list multiple secrets by name

I tried to give rights to the list with resourceNames, but the operator does not accept this behavior and writes an error on startup

failed to list v1.Secret: secrets is forbidden: User "system:serviceaccount:operator-*****" cannot list resource "secrets" in API group "" in the namespace "namespace-name"

答案1

得分: 2

无法列出 v1.Secret: 禁止访问 secrets: 用户 "system:serviceaccount:operator-*****" 无法列出 API 组 "" 中的资源 "secrets" 在命名空间 "namespace-name"。

上述错误说明具有服务帐户的操作员没有权限列出密码,要解决您的问题,请为服务帐户创建角色绑定,因为默认情况下创建后不具备访问权限。要为服务帐户添加一个查看者(只读)角色,请运行以下命令:

例如,将只读权限授予 "my-namespace" 内的 "my-sa" 服务帐户:

kubectl create rolebinding my-sa-view \
  --clusterrole=view \
  --serviceaccount=my-namespace:my-sa \
  --namespace=my-namespace

找到一个类似的 堆栈问题 以获取更多信息。

英文:
failed to list v1.Secret: secrets is forbidden: User "system:serviceaccount:operator-*****" cannot list resource "secrets" in API group "" in the namespace "namespace-name"

The above error states that the operator with a service account does not have permission to list the secrets, to resolve your issue create role binding for service account as it not given access by default after creation, for adding a viewer (read only) role to service account run the following command:

For example, grant read-only permission within "my-namespace" to the "my-sa" service account:

kubectl create rolebinding my-sa-view \

 --clusterrole=view \

 --serviceaccount=my-namespace:my-sa \

 --namespace=my-namespace

Found a similar stack question for more information.

huangapple
  • 本文由 发表于 2023年2月6日 18:54:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/75360371.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定