- Le plus récent
- Le plus de votes
- La plupart des commentaires
Step 1: Define a New Kubernetes Role or ClusterRole First, you need to define what permissions the new group should have. You can create a Role for namespace-specific permissions or a ClusterRole for cluster-wide permissions. Here's an example of how to define a ClusterRole with restricted permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: custom-restricted-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
This ClusterRole allows users only to get, list, and watch pods across the cluster.
Step 2: Create a ClusterRoleBinding or RoleBinding To assign the ClusterRole to a group, you use a ClusterRoleBinding (or RoleBinding for a Role). For example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: custom-restricted-role-binding
subjects:
- kind: Group
name: custom-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: custom-restricted-role
apiGroup: rbac.authorization.k8s.io
Step 3: Update the aws-auth ConfigMap Now, you need to map AWS IAM roles or users to the new Kubernetes group in the aws-auth ConfigMap. Here’s how you update it:
mapRoles: |
- rolearn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>
username: <ROLE_NAME>
groups:
- custom-group
For an IAM user, the entry would be similar but under mapUsers.
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
Thanks for the answer. In steps one and two, is it necessary to create a new file with the informed settings or do I edit an existing file? Is there a list where I can see all existing cluster roles in the cluster's RBAC?
You create a new manifest file and apply it. After that, the data goes to the Kubernetes configuration via API
if you use "kubectl" util, you can execute the following command to see all existing cluster roles
kubectl get clusterroles