我有一组用户(dev-team)
,他们只需要访问dev
和qa
命名空间。我创建了一个服务帐户,集群角色和集群角色绑定,如下所示。
服务帐户
apiVersion: v1
kind: ServiceAccount
metadata:
name: dev-team
集群角色
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: dev-team-users
rules:
- apiGroups: ["rbac.authorization.k8s.io",""]
resources: ["namespaces"]
resourceNames: ["dev","qa"]
verbs: ["get","list","create"]
群集角色绑定
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dev-team-user-bindings
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dev-team-users
subjects:
- kind: User
name: dev-team
namespace: kube-system
apiGroup: rbac.authorization.k8s.io
当我尝试验证访问权限时,运行以下命令
kubectl get namespaces --as=dev-team
,会出现以下错误信息。Error from server (Forbidden): namespaces is forbidden: User "dev-team" cannot list resource "namespaces" in API group "" at the cluster scope
我期望只显示 dev
和 qa
命名空间,这里我漏掉了什么吗?