kubernetes | 您所在的位置:网站首页 › k8s serviceaccount namespace › kubernetes |
I have a cluster with multiple namespaces. Let's call them: ns1 and ns2 I also have multiple service accounts, lets call them sa1 and sa2, all in one namespace - sa-ns. Both users can access all resources within both namespaces, however they cannot list namespaces they are part of. kubectl get ns --as=sa1 returns: Error from server (Forbidden): namespaces is forbidden: User "sa1" cannot list resource "namespaces" in API group "" at the cluster scope It works only if I manually specify which namespace I want to list: kubectl get ns ns1 --as=sa1 NAME STATUS AGE ns1 Active 6d6hI need both users sa1 and sa2 be able to list all namespaces within cluster they have access to. In this case ns1 and ns2. This behavior also probably wont allow me to list namespaces and it's resources in Lens dashboards. From the the namespace list I can list only the namespace sa-ns the users sa1 & sa2 are part of. Dashboards are however empty as you can seen on the image bellow. I tried to add namespace the user has in fact access to via ACCESSIBLE NAMESPACES feature in Lens, but it doesn't work either. I still don't see anything, only blank dashboards. ServiceAccount: apiVersion: v1 kind: ServiceAccount metadata: name: sa1 namespace: sa-ns --- apiVersion: v1 kind: ServiceAccount metadata: name: sa2 namespace: sa-nsRole: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: admin-role namespace: ns1 rules: - apiGroups: - "*" resources: - "*" verbs: - "*" --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: admin-role namespace: ns2 rules: - apiGroups: - "*" resources: - "*" verbs: - "*"RoleBinding: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: admin-role-binding namespace: ns1 roleRef: kind: Role name: admin-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: sa1 namespace: sa-ns --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: admin-role-binding namespace: ns2 roleRef: kind: Role name: admin-role apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: sa2 namespace: sa-nsI tried to use ClusterRoleinstead of Role but nothing has changed. |
CopyRight 2018-2019 实验室设备网 版权所有 |