英文:
can kubernetes role override clusterrole?
问题
例如,我有一个角色,允许用户从特定命名空间获取Pod列表。还有一个ClusterRole,允许用户从所有命名空间获取Pod列表。
用户能否从所有命名空间获取所有Pod?或者角色会覆盖ClusterRole,因为角色更具体?
我知道这没有意义。但如果我错误地这样做了呢?
英文:
For example I have a role that gives permission to user get list of pods from specific namespace. And I have a clusterRole that gives permission to user get list of pods from all namespaces.
can user get all pods from all namespaces? or does role override clusterRole because role is more specific?
I know this doesn't make sense. But what if I do it by mistake?
答案1
得分: 1
根据https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
权限是纯粹叠加的(没有“拒绝”规则)。
这意味着如果用户绑定到多个角色或集群角色,他们不能获得更少的权限,只能获得更多权限。
英文:
As per https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
> Permissions are purely additive (there are no "deny" rules).
That means you can't get less rights, only more if user is bound to multiple Roles or ClusterRoles
答案2
得分: 1
在Kubernetes中,ClusterRole优先于Roles。因为Role绑定到特定的命名空间,而ClusterRole是一个非命名空间的资源。每当用户请求资源时,Kubernetes将检查分配给该用户或服务帐户的角色和ClusterRoles。
如果Roles和ClusterRoles之间存在冲突,那么ClusterRole将覆盖Kubernetes中用户或服务帐户的Role权限。
有关更详细的信息,请参考官方RBAC文档。
英文:
In kubernetes ClusterRole takes precedence over the Roles. Because the Role is bound to a certain namespace whereas the ClusterRole is a non-namespaced resource. Whenever a user requests for resources, the kubernetes will check the roles and clusterroles assigned to that user or service account.
If there is any conflict between Roles and ClusterRoles then the ClusterRole overrides the Role permissions for a user or service account in kubernetes.
For more detailed information refer to the Official RBAC Document
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论