我有以下用户清单,我想允许myapp-user获取集群中所有命名空间的列表。我查找了一些资料,发现应该创建一个ClusterRole,但我找不到足够的详细信息。是否有任何apiGroups及其对应资源和动词列表的清单?
apiVersion: v1
kind: ServiceAccount
metadata:
name: myapp-user
namespace: myapp
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myapp-user-role
namespace: myapp
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources:
- ingress
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myapp-user
namespace: myapp
subjects:
- kind: ServiceAccount
name: myapp-suer
namespace: myapp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myapp-user-role
我认为将这部分内容添加到 role.rules 中可能会有所帮助,但不幸的是没有。
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["GET"]