×
使用 RBAC 定义和应用权限
RBAC 概述
基于角色的访问控制 (RBAC) 对象决定用户是否允许在项目中执行给定操作。
具有dedicated-admin角色的管理员可以使用集群角色和绑定来控制谁拥有对 AWS 平台上的 Red Hat OpenShift Service 本身以及所有项目的各种访问级别。
开发人员可以使用本地角色和绑定来控制谁可以访问他们的项目。请注意,授权与身份验证是不同的步骤,身份验证更多的是关于确定执行操作的人的身份。
授权使用以下方式进行管理:
| 授权对象 | 描述 |
|---|---|
规则 |
在一组对象上允许的一组动词。例如,用户或服务帐户是否可以 |
角色 |
规则的集合。您可以将用户和组关联或绑定到多个角色。 |
绑定 |
用户和/或组与角色之间的关联。 |
控制授权的 RBAC 角色和绑定有两个级别
| RBAC级别 | 描述 |
|---|---|
集群 RBAC |
适用于所有项目的规则和绑定。集群角色存在于集群范围内,集群角色绑定只能引用集群角色。 |
本地 RBAC |
作用域限定为给定项目的规则和绑定。虽然本地角色仅存在于单个项目中,但本地角色绑定可以同时引用集群角色和本地角色。 |
集群角色绑定是在集群级别存在的绑定。角色绑定存在于项目级别。为了让用户查看项目,必须使用本地角色绑定将集群角色查看绑定到用户。只有在集群角色未提供特定情况所需的权限集时,才创建本地角色。
这种两级层次结构允许通过集群角色在多个项目中重复使用,同时允许通过本地角色在各个项目内部进行自定义。
在评估期间,将同时使用集群角色绑定和本地角色绑定。例如:
-
检查集群范围的“允许”规则。
-
检查本地绑定的“允许”规则。
-
默认情况下拒绝。
默认集群角色
AWS 上的 Red Hat OpenShift Service 包含一组默认集群角色,您可以将其绑定到集群范围或本地范围的用户和组。
|
不建议手动修改默认集群角色。对这些系统角色的修改可能会阻止集群正常运行。 |
| 默认集群角色 | 描述 |
|---|---|
|
项目经理。如果在本地绑定中使用,则 |
|
可以获取有关项目和用户的基本信息的使用者。 |
|
超级用户,可以在任何项目中执行任何操作。当与本地绑定中的用户绑定时,他们对配额和项目中每个资源上的每个操作都拥有完全控制权。 |
|
可以获取基本的集群状态信息的使用者。 |
|
可以获取或查看大多数对象但无法修改它们的使用者。 |
|
可以修改项目中大多数对象但无权查看或修改角色或绑定的使用者。 |
|
可以创建自己的项目的使用者。 |
|
无法进行任何修改,但可以查看项目中大多数对象的使用者。他们无法查看或修改角色或绑定。 |
请注意本地绑定和集群绑定之间的区别。例如,如果您使用本地角色绑定将cluster-admin角色绑定到用户,则似乎此用户具有集群管理员的权限。情况并非如此。将cluster-admin绑定到项目中的用户仅向该用户授予该项目的超级管理员权限。该用户拥有集群角色admin的权限,以及一些附加权限,例如能够编辑速率限制,适用于该项目。此绑定在 Web 控制台 UI 中可能会令人困惑,该 UI 未列出绑定到真正集群管理员的集群角色绑定。但是,它确实列出了您可以用来在本地绑定cluster-admin的本地角色绑定。
下图说明了集群角色、本地角色、集群角色绑定、本地角色绑定、用户、组和服务帐户之间的关系。
|
|
评估授权
AWS 上的 Red Hat OpenShift Service 使用以下方式评估授权:
- 身份
-
用户名和用户所属的组列表。
- 操作
-
您执行的操作。在大多数情况下,这包括:
-
项目:您访问的项目。项目是具有附加注释的 Kubernetes 命名空间,允许用户社区隔离其他社区来组织和管理其内容。
-
动词:操作本身:
get、list、create、update、delete、deletecollection或watch。 -
资源名称:您访问的 API 端点。
-
- 绑定
-
完整的绑定列表,用户或组与角色之间的关联。
AWS 上的 Red Hat OpenShift Service 使用以下步骤评估授权:
-
使用身份和项目范围的操作来查找适用于用户或其组的所有绑定。
-
使用绑定来查找所有适用的角色。
-
使用角色来查找所有适用的规则。
-
将操作与每个规则进行核对以查找匹配项。
-
如果未找到匹配规则,则默认情况下会拒绝该操作。
|
请记住,用户和组可以同时与多个角色关联或绑定。 |
项目管理员可以使用 CLI 查看本地角色和绑定,包括每个角色关联的动词和资源的矩阵。
|
绑定到项目管理员的集群角色通过本地绑定在项目中受到限制。它不像授予cluster-admin或system:admin的集群角色那样在集群范围内绑定。 集群角色是在集群级别定义的角色,但可以在集群级别或项目级别绑定。 |
集群角色聚合
默认的管理员、编辑、查看和集群读取器集群角色支持集群角色聚合,其中每个角色的集群规则会随着新规则的创建而动态更新。此功能仅在您通过创建自定义资源来扩展 Kubernetes API 时才相关。
项目和命名空间
Kubernetes 命名空间提供了一种机制来限定集群中的资源范围。Kubernetes 文档中包含有关命名空间的更多信息。
命名空间为以下方面提供了唯一的范围:
-
命名资源,以避免基本的命名冲突。
-
委派的管理权限,授予受信任的用户。
-
限制社区资源消耗的能力。
系统中的大多数对象都受命名空间的限制,但有些对象除外,并且没有命名空间,包括节点和用户。
项目是一个具有附加注释的 Kubernetes 命名空间,它是管理常规用户资源访问权限的中心工具。项目允许用户社区隔离其他社区来组织和管理其内容。用户必须由管理员授予项目访问权限,或者如果允许创建项目,则自动拥有其自身项目的访问权限。
项目可以具有单独的name、displayName和description。
-
强制性
name是项目的唯一标识符,在使用 CLI 工具或 API 时最显眼。最大名称长度为 63 个字符。 -
可选的
displayName是在 Web 控制台中显示项目的方式(默认为name)。 -
可选的
description可以是对项目的更详细描述,也显示在 Web 控制台中。
每个项目都限定其自身的一组:
| 对象 | 描述 |
|---|---|
|
Pod、服务、复制控制器等。 |
|
用户可以或不可以对对象执行操作的规则。 |
|
可以限制的每种对象的配额。 |
|
服务账户会自动使用指定的访问权限来访问项目中的对象。 |
具有dedicated-admin角色的管理员可以创建项目并将项目的管理权限委派给用户社区的任何成员。具有dedicated-admin角色的管理员还可以允许开发人员创建他们自己的项目。
开发人员和管理员可以使用 CLI 或 Web 控制台与项目进行交互。
默认项目
Red Hat OpenShift Service on AWS 带有许多默认项目,以openshift-开头的项目对用户至关重要。这些项目托管作为 Pod 运行的主组件和其他基础设施组件。在这些命名空间中创建的具有关键 Pod 注释的 Pod 被认为是关键的,并且 kubelet 保证其准入。为这些命名空间中的主组件创建的 Pod 已被标记为关键的。
|
不要在默认项目中运行工作负载或共享对默认项目的访问权限。默认项目保留用于运行核心集群组件。 以下默认项目被认为是高度特权的: |
查看集群角色和绑定
您可以使用oc CLI 通过oc describe命令查看集群角色和绑定。
先决条件
-
安装
ocCLI。 -
获得查看集群角色和绑定的权限。
步骤
-
要查看集群角色及其关联的规则集
$ oc describe clusterrole.rbac示例输出Name: admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- .packages.apps.redhat.com [] [] [* create update patch delete get list watch] imagestreams [] [] [create delete deletecollection get list patch update watch create get list watch] imagestreams.image.openshift.io [] [] [create delete deletecollection get list patch update watch create get list watch] secrets [] [] [create delete deletecollection get list patch update watch get list watch create delete deletecollection patch update] buildconfigs/webhooks [] [] [create delete deletecollection get list patch update watch get list watch] buildconfigs [] [] [create delete deletecollection get list patch update watch get list watch] buildlogs [] [] [create delete deletecollection get list patch update watch get list watch] deploymentconfigs/scale [] [] [create delete deletecollection get list patch update watch get list watch] deploymentconfigs [] [] [create delete deletecollection get list patch update watch get list watch] imagestreamimages [] [] [create delete deletecollection get list patch update watch get list watch] imagestreammappings [] [] [create delete deletecollection get list patch update watch get list watch] imagestreamtags [] [] [create delete deletecollection get list patch update watch get list watch] processedtemplates [] [] [create delete deletecollection get list patch update watch get list watch] routes [] [] [create delete deletecollection get list patch update watch get list watch] templateconfigs [] [] [create delete deletecollection get list patch update watch get list watch] templateinstances [] [] [create delete deletecollection get list patch update watch get list watch] templates [] [] [create delete deletecollection get list patch update watch get list watch] deploymentconfigs.apps.openshift.io/scale [] [] [create delete deletecollection get list patch update watch get list watch] deploymentconfigs.apps.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] buildconfigs.build.openshift.io/webhooks [] [] [create delete deletecollection get list patch update watch get list watch] buildconfigs.build.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] buildlogs.build.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] imagestreamimages.image.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] imagestreammappings.image.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] imagestreamtags.image.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] routes.route.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] processedtemplates.template.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] templateconfigs.template.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] templateinstances.template.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] templates.template.openshift.io [] [] [create delete deletecollection get list patch update watch get list watch] serviceaccounts [] [] [create delete deletecollection get list patch update watch impersonate create delete deletecollection patch update get list watch] imagestreams/secrets [] [] [create delete deletecollection get list patch update watch] rolebindings [] [] [create delete deletecollection get list patch update watch] roles [] [] [create delete deletecollection get list patch update watch] rolebindings.authorization.openshift.io [] [] [create delete deletecollection get list patch update watch] roles.authorization.openshift.io [] [] [create delete deletecollection get list patch update watch] imagestreams.image.openshift.io/secrets [] [] [create delete deletecollection get list patch update watch] rolebindings.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch] roles.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch] networkpolicies.extensions [] [] [create delete deletecollection patch update create delete deletecollection get list patch update watch get list watch] networkpolicies.networking.k8s.io [] [] [create delete deletecollection patch update create delete deletecollection get list patch update watch get list watch] configmaps [] [] [create delete deletecollection patch update get list watch] endpoints [] [] [create delete deletecollection patch update get list watch] persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch] pods [] [] [create delete deletecollection patch update get list watch] replicationcontrollers/scale [] [] [create delete deletecollection patch update get list watch] replicationcontrollers [] [] [create delete deletecollection patch update get list watch] services [] [] [create delete deletecollection patch update get list watch] daemonsets.apps [] [] [create delete deletecollection patch update get list watch] deployments.apps/scale [] [] [create delete deletecollection patch update get list watch] deployments.apps [] [] [create delete deletecollection patch update get list watch] replicasets.apps/scale [] [] [create delete deletecollection patch update get list watch] replicasets.apps [] [] [create delete deletecollection patch update get list watch] statefulsets.apps/scale [] [] [create delete deletecollection patch update get list watch] statefulsets.apps [] [] [create delete deletecollection patch update get list watch] horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection patch update get list watch] cronjobs.batch [] [] [create delete deletecollection patch update get list watch] jobs.batch [] [] [create delete deletecollection patch update get list watch] daemonsets.extensions [] [] [create delete deletecollection patch update get list watch] deployments.extensions/scale [] [] [create delete deletecollection patch update get list watch] deployments.extensions [] [] [create delete deletecollection patch update get list watch] ingresses.extensions [] [] [create delete deletecollection patch update get list watch] replicasets.extensions/scale [] [] [create delete deletecollection patch update get list watch] replicasets.extensions [] [] [create delete deletecollection patch update get list watch] replicationcontrollers.extensions/scale [] [] [create delete deletecollection patch update get list watch] poddisruptionbudgets.policy [] [] [create delete deletecollection patch update get list watch] deployments.apps/rollback [] [] [create delete deletecollection patch update] deployments.extensions/rollback [] [] [create delete deletecollection patch update] catalogsources.operators.coreos.com [] [] [create update patch delete get list watch] clusterserviceversions.operators.coreos.com [] [] [create update patch delete get list watch] installplans.operators.coreos.com [] [] [create update patch delete get list watch] packagemanifests.operators.coreos.com [] [] [create update patch delete get list watch] subscriptions.operators.coreos.com [] [] [create update patch delete get list watch] buildconfigs/instantiate [] [] [create] buildconfigs/instantiatebinary [] [] [create] builds/clone [] [] [create] deploymentconfigrollbacks [] [] [create] deploymentconfigs/instantiate [] [] [create] deploymentconfigs/rollback [] [] [create] imagestreamimports [] [] [create] localresourceaccessreviews [] [] [create] localsubjectaccessreviews [] [] [create] podsecuritypolicyreviews [] [] [create] podsecuritypolicyselfsubjectreviews [] [] [create] podsecuritypolicysubjectreviews [] [] [create] resourceaccessreviews [] [] [create] routes/custom-host [] [] [create] subjectaccessreviews [] [] [create] subjectrulesreviews [] [] [create] deploymentconfigrollbacks.apps.openshift.io [] [] [create] deploymentconfigs.apps.openshift.io/instantiate [] [] [create] deploymentconfigs.apps.openshift.io/rollback [] [] [create] localsubjectaccessreviews.authorization.k8s.io [] [] [create] localresourceaccessreviews.authorization.openshift.io [] [] [create] localsubjectaccessreviews.authorization.openshift.io [] [] [create] resourceaccessreviews.authorization.openshift.io [] [] [create] subjectaccessreviews.authorization.openshift.io [] [] [create] subjectrulesreviews.authorization.openshift.io [] [] [create] buildconfigs.build.openshift.io/instantiate [] [] [create] buildconfigs.build.openshift.io/instantiatebinary [] [] [create] builds.build.openshift.io/clone [] [] [create] imagestreamimports.image.openshift.io [] [] [create] routes.route.openshift.io/custom-host [] [] [create] podsecuritypolicyreviews.security.openshift.io [] [] [create] podsecuritypolicyselfsubjectreviews.security.openshift.io [] [] [create] podsecuritypolicysubjectreviews.security.openshift.io [] [] [create] jenkins.build.openshift.io [] [] [edit view view admin edit view] builds [] [] [get create delete deletecollection get list patch update watch get list watch] builds.build.openshift.io [] [] [get create delete deletecollection get list patch update watch get list watch] projects [] [] [get delete get delete get patch update] projects.project.openshift.io [] [] [get delete get delete get patch update] namespaces [] [] [get get list watch] pods/attach [] [] [get list watch create delete deletecollection patch update] pods/exec [] [] [get list watch create delete deletecollection patch update] pods/portforward [] [] [get list watch create delete deletecollection patch update] pods/proxy [] [] [get list watch create delete deletecollection patch update] services/proxy [] [] [get list watch create delete deletecollection patch update] routes/status [] [] [get list watch update] routes.route.openshift.io/status [] [] [get list watch update] appliedclusterresourcequotas [] [] [get list watch] bindings [] [] [get list watch] builds/log [] [] [get list watch] deploymentconfigs/log [] [] [get list watch] deploymentconfigs/status [] [] [get list watch] events [] [] [get list watch] imagestreams/status [] [] [get list watch] limitranges [] [] [get list watch] namespaces/status [] [] [get list watch] pods/log [] [] [get list watch] pods/status [] [] [get list watch] replicationcontrollers/status [] [] [get list watch] resourcequotas/status [] [] [get list watch] resourcequotas [] [] [get list watch] resourcequotausages [] [] [get list watch] rolebindingrestrictions [] [] [get list watch] deploymentconfigs.apps.openshift.io/log [] [] [get list watch] deploymentconfigs.apps.openshift.io/status [] [] [get list watch] controllerrevisions.apps [] [] [get list watch] rolebindingrestrictions.authorization.openshift.io [] [] [get list watch] builds.build.openshift.io/log [] [] [get list watch] imagestreams.image.openshift.io/status [] [] [get list watch] appliedclusterresourcequotas.quota.openshift.io [] [] [get list watch] imagestreams/layers [] [] [get update get] imagestreams.image.openshift.io/layers [] [] [get update get] builds/details [] [] [update] builds.build.openshift.io/details [] [] [update] Name: basic-user Labels: <none> Annotations: openshift.io/description: A user that can get basic information about projects. rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- selfsubjectrulesreviews [] [] [create] selfsubjectaccessreviews.authorization.k8s.io [] [] [create] selfsubjectrulesreviews.authorization.openshift.io [] [] [create] clusterroles.rbac.authorization.k8s.io [] [] [get list watch] clusterroles [] [] [get list] clusterroles.authorization.openshift.io [] [] [get list] storageclasses.storage.k8s.io [] [] [get list] users [] [~] [get] users.user.openshift.io [] [~] [get] projects [] [] [list watch] projects.project.openshift.io [] [] [list watch] projectrequests [] [] [list] projectrequests.project.openshift.io [] [] [list] Name: cluster-admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- *.* [] [] [*] [*] [] [*] ... -
要查看当前的集群角色绑定集,该集合显示绑定到各种角色的用户和组
$ oc describe clusterrolebinding.rbac示例输出Name: alertmanager-main Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: alertmanager-main Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount alertmanager-main openshift-monitoring Name: basic-users Labels: <none> Annotations: rbac.authorization.kubernetes.io/autoupdate: true Role: Kind: ClusterRole Name: basic-user Subjects: Kind Name Namespace ---- ---- --------- Group system:authenticated Name: cloud-credential-operator-rolebinding Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cloud-credential-operator-role Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount default openshift-cloud-credential-operator Name: cluster-admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- Group system:masters Name: cluster-admins Labels: <none> Annotations: rbac.authorization.kubernetes.io/autoupdate: true Role: Kind: ClusterRole Name: cluster-admin Subjects: Kind Name Namespace ---- ---- --------- Group system:cluster-admins User system:admin Name: cluster-api-manager-rolebinding Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-api-manager-role Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount default openshift-machine-api ...
查看本地角色和绑定
您可以使用oc CLI 通过oc describe命令查看本地角色和绑定。
先决条件
-
安装
ocCLI。 -
获得查看本地角色和绑定的权限
-
在本地绑定了
admin默认集群角色的用户可以查看和管理该项目中的角色和绑定。
-
步骤
-
要查看当前的本地角色绑定集,该集合显示绑定到当前项目各种角色的用户和组
$ oc describe rolebinding.rbac -
要查看不同项目的本地角色绑定,请向命令添加
-n标志$ oc describe rolebinding.rbac -n joe-project示例输出Name: admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User kube:admin Name: system:deployers Labels: <none> Annotations: openshift.io/description: Allows deploymentconfigs in this namespace to rollout pods in this namespace. It is auto-managed by a controller; remove subjects to disa... Role: Kind: ClusterRole Name: system:deployer Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount deployer joe-project Name: system:image-builders Labels: <none> Annotations: openshift.io/description: Allows builds in this namespace to push images to this namespace. It is auto-managed by a controller; remove subjects to disable. Role: Kind: ClusterRole Name: system:image-builder Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount builder joe-project Name: system:image-pullers Labels: <none> Annotations: openshift.io/description: Allows all pods in this namespace to pull images from this namespace. It is auto-managed by a controller; remove subjects to disable. Role: Kind: ClusterRole Name: system:image-puller Subjects: Kind Name Namespace ---- ---- --------- Group system:serviceaccounts:joe-project
向用户添加角色
您可以使用oc adm管理员 CLI 来管理角色和绑定。
将角色绑定到用户或组会授予用户或组该角色授予的访问权限。您可以使用oc adm policy命令向用户和组添加和删除角色。
您可以将任何默认集群角色绑定到项目中的本地用户或组。
步骤
-
向特定项目中的用户添加角色
$ oc adm policy add-role-to-user <role> <user> -n <project>例如,您可以通过运行以下命令,将
admin角色添加到joe项目中的alice用户:$ oc adm policy add-role-to-user admin alice -n joe或者,您可以应用以下 YAML 来将角色添加到用户:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: admin-0 namespace: joe roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: alice -
查看本地角色绑定并验证输出中的添加内容
$ oc describe rolebinding.rbac -n <project>例如,要查看
joe项目的本地角色绑定:$ oc describe rolebinding.rbac -n joe示例输出Name: admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User kube:admin Name: admin-0 Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User alice (1) Name: system:deployers Labels: <none> Annotations: openshift.io/description: Allows deploymentconfigs in this namespace to rollout pods in this namespace. It is auto-managed by a controller; remove subjects to disa... Role: Kind: ClusterRole Name: system:deployer Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount deployer joe Name: system:image-builders Labels: <none> Annotations: openshift.io/description: Allows builds in this namespace to push images to this namespace. It is auto-managed by a controller; remove subjects to disable. Role: Kind: ClusterRole Name: system:image-builder Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount builder joe Name: system:image-pullers Labels: <none> Annotations: openshift.io/description: Allows all pods in this namespace to pull images from this namespace. It is auto-managed by a controller; remove subjects to disable. Role: Kind: ClusterRole Name: system:image-puller Subjects: Kind Name Namespace ---- ---- --------- Group system:serviceaccounts:joe1 alice用户已添加到adminsRoleBinding。
创建本地角色
您可以为项目创建本地角色,然后将其绑定到用户。
步骤
-
要为项目创建本地角色,请运行以下命令:
$ oc create role <name> --verb=<verb> --resource=<resource> -n <project>在此命令中,请指定:
-
<name>,本地角色的名称 -
<verb>,应用于角色的动词的逗号分隔列表 -
<resource>,角色应用于的资源 -
<project>,项目名称
例如,要创建允许用户查看
blue项目中 Pod 的本地角色,请运行以下命令:$ oc create role podview --verb=get --resource=pod -n blue -
-
要将新角色绑定到用户,请运行以下命令:
$ oc adm policy add-role-to-user podview user2 --role-namespace=blue -n blue
本地角色绑定命令
当您使用以下操作管理用户的关联角色或组的本地角色绑定时,可以使用-n标志指定项目。如果未指定,则使用当前项目。
您可以使用以下命令进行本地 RBAC 管理。
| 命令 | 描述 |
|---|---|
|
指示哪些用户可以对资源执行操作。 |
|
将指定的角色绑定到当前项目中的指定用户。 |
|
从当前项目中的指定用户中删除给定的角色。 |
|
删除当前项目中的指定用户及其所有角色。 |
|
将给定的角色绑定到当前项目中的指定组。 |
|
从当前项目中的指定组中删除给定的角色。 |
|
移除当前项目中指定的组及其所有角色。 |
集群角色绑定命令
您也可以使用以下操作管理集群角色绑定。这些操作不使用-n标志,因为集群角色绑定使用非命名空间资源。
| 命令 | 描述 |
|---|---|
|
将给定角色绑定到集群中所有项目的指定用户。 |
|
从集群中所有项目的指定用户中移除给定角色。 |
|
将给定角色绑定到集群中所有项目的指定组。 |
|
从集群中所有项目的指定组中移除给定角色。 |
授予cluster-admin访问权限
作为创建集群的用户,将cluster-admin用户角色添加到您的帐户以获得最大的管理员权限。创建集群时,这些权限不会自动分配给您的用户帐户。
此外,只有创建集群的用户才能向其他cluster-admin或dedicated-admin用户授予集群访问权限。拥有dedicated-admin访问权限的用户权限较少。最佳实践是将cluster-admin用户的数量限制在尽可能少的范围内。
先决条件
-
您已将身份提供程序 (IDP) 添加到您的集群。
-
您拥有要创建用户的 IDP 用户名。
-
您已登录到集群。
步骤
-
授予您的用户
cluster-admin权限$ rosa grant user cluster-admin --user=<idp_user_name> --cluster=<cluster_name> -
验证您的用户是否列为集群管理员
$ rosa list users --cluster=<cluster_name>示例输出GROUP NAME cluster-admins rh-rosa-test-user dedicated-admins rh-rosa-test-user -
输入以下命令以验证您的用户现在是否具有
cluster-admin访问权限。集群管理员可以无错误地运行此命令,但专用管理员则不能。$ oc get all -n openshift-apiserver示例输出NAME READY STATUS RESTARTS AGE pod/apiserver-6ndg2 1/1 Running 0 17h pod/apiserver-lrmxs 1/1 Running 0 17h pod/apiserver-tsqhz 1/1 Running 0 17h NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/api ClusterIP 172.30.23.241 <none> 443/TCP 18h NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/apiserver 3 3 3 3 3 node-role.kubernetes.io/master= 18h
授予dedicated-admin访问权限
只有创建集群的用户才能向其他cluster-admin或dedicated-admin用户授予集群访问权限。拥有dedicated-admin访问权限的用户权限较少。最佳实践是为大多数管理员授予dedicated-admin访问权限。
先决条件
-
您已将身份提供程序 (IDP) 添加到您的集群。
-
您拥有要创建用户的 IDP 用户名。
-
您已登录到集群。
步骤
-
输入以下命令将您的用户提升为
dedicated-admin$ rosa grant user dedicated-admin --user=<idp_user_name> --cluster=<cluster_name> -
输入以下命令以验证您的用户现在是否具有
dedicated-admin访问权限$ oc get groups dedicated-admins示例输出NAME USERS dedicated-admins rh-rosa-test-user如果无
dedicated-admin权限的用户运行此命令,则会显示Forbidden错误。
未经身份验证的组的集群角色绑定
|
在 Red Hat OpenShift Service on AWS 4.17 之前,未经身份验证的组可以访问某些集群角色。从 Red Hat OpenShift Service on AWS 4.17 之前的版本更新的集群保留了对未经身份验证的组的此访问权限。 |
出于安全原因,Red Hat OpenShift Service on AWS 不允许未经身份验证的组默认访问集群角色。
在某些用例中,可能需要将system:unauthenticated添加到集群角色。
集群管理员可以将未经身份验证的用户添加到以下集群角色:
-
system:scope-impersonation -
system:webhook -
system:oauth-token-deleter -
self-access-reviewer
|
修改未经身份验证的访问权限时,请始终验证是否符合您组织的安全标准。 |