本文主要描述 RBAC 角色的中文名称与对应的 ClusterRole 英文名,以及在 Kubernetes 中的对应权限名称说明。
RBAC 访问权限角色 | ClusterRole 名称 | Kubernetes 权限名称 |
---|---|---|
集群管理员 | vke:admin | 请参见 vke:admin。 |
运维管理员 | vke:ops | 请参见 vke:ops。 |
高权限开发人员 | vke:dev-promoted | 请参见 vke:dev-promoted。 |
开发人员 | vke:dev | 请参见 vke:dev。 |
只读用户 | vke:visitor | 请参见 vke:visitor。 |
执行如下,查看vke:admin
对应的 Kubernetes 权限详情。
kubectl get ClusterRole cs:admin --output=yaml
预期输出结果:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: "2023-05-17T04:03:24Z" labels: app.kubernetes.io/managed-by: Helm rbac.vke.volcengine.com/preset-role: "true" rbac.vke.volcengine.com/version: 1.0.0 name: vke:admin resourceVersion: "308" uid: f79ed7ee-2c92-4074-9b00-359d******** rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*'
执行如下,查看vke:ops
对应的 Kubernetes 权限详情。
kubectl get clusterrole vke:ops --output=yaml
预期输出结果:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: "2023-05-17T04:03:24Z" labels: app.kubernetes.io/managed-by: Helm argocd.argoproj.io/instance: vke-resource-controller rbac.vke.volcengine.com/preset-role: "true" rbac.vke.volcengine.com/version: 1.0.6 name: vke:ops resourceVersion: "37760530" uid: 85d4a166-1acf-4cd0-8ef1-2bf5******** rules: - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy - pods/eviction verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - "" resources: - namespaces - nodes - persistentvolumes - configmaps - endpoints - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy - limitranges - resourcequotas - resourcequotas/status verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - "" resources: - bindings - events - namespaces/status - replicationcontrollers/status - pods/log - pods/status - componentstatuses verbs: - get - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - apiGroups: - apps resources: - daemonsets - daemonsets/status - deployments - deployments/status - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - controllerrevisions verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/status - deployments/rollback - deployments/scale - ingresses - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - networking.k8s.io resources: - '*' verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - servicecatalog.k8s.io resources: - clusterserviceclasses - clusterserviceplans - clusterservicebrokers - serviceinstances - servicebindings verbs: - create - delete - get - list - patch - update - watch - apiGroups: - servicecatalog.k8s.io resources: - clusterservicebrokers/status - clusterserviceclasses/status - clusterserviceplans/status - serviceinstances/status - serviceinstances/reference - servicebindings/status verbs: - update - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - create - watch - patch - update - delete - deletecollection - apiGroups: - vke.volcengine.com resources: - cronhpas verbs: - get - list - create - watch - patch - update - delete - deletecollection - apiGroups: - appinspect.elkeid.bytedance.com resources: - secinspectpolicies - secinspectreports - secinspectrunconfigs - secinspectclusterreports verbs: - get - list - watch - apiGroups: - loadbalancer.vke.volcengine.com resources: - albinstances verbs: - create - delete - get - list - patch - update - watch
执行如下,查看vke:dev-promoted
对应的 Kubernetes 权限详情。
kubectl get clusterrole vke:dev-promoted --output=yaml
预期输出结果:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: "2023-05-17T04:03:24Z" labels: app.kubernetes.io/managed-by: Helm rbac.vke.volcengine.com/preset-role: "true" rbac.vke.volcengine.com/version: 1.0.4 name: vke:dev-promoted resourceVersion: "37760524" uid: 7baff690-a3eb-4ab4-b5b2-4ff3******** rules: - apiGroups: - "" resources: - nodes - persistentvolumes - limitranges - resourcequotas verbs: - get - list - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - apiGroups: - loadbalancer.vke.volcengine.com resources: - albinstances verbs: - get - list - apiGroups: - networking.k8s.io resources: - ingressclasses verbs: - get - list
执行如下,查看vke:dev
对应的 Kubernetes 权限详情。
kubectl get clusterrole vke:dev --output=yaml
预期输出结果:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: "2023-05-17T04:03:24Z" labels: app.kubernetes.io/managed-by: Helm argocd.argoproj.io/instance: vke-resource-controller rbac.vke.volcengine.com/preset-role: "true" rbac.vke.volcengine.com/version: 1.0.5 name: vke:dev resourceVersion: "37760513" uid: a6917647-e8c8-429d-abe5-b381******** rules: - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - "" resources: - configmaps - endpoints - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy - persistentvolumeclaims verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - "" resources: - events - namespaces/status - replicationcontrollers/status - pods/log - pods/status - componentstatuses verbs: - get - list - watch - apiGroups: - "" resources: - namespaces - nodes - persistentvolumes - limitranges - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - apps resources: - daemonsets - daemonsets/status - deployments - deployments/status - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - controllerrevisions verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/status - deployments/rollback - deployments/scale - ingresses - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - networking.k8s.io resources: - '*' verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - servicecatalog.k8s.io resources: - clusterserviceclasses - clusterserviceplans - clusterservicebrokers - serviceinstances - servicebindings verbs: - create - delete - get - list - patch - update - watch - apiGroups: - servicecatalog.k8s.io resources: - clusterservicebrokers/status - clusterserviceclasses/status - clusterserviceplans/status - serviceinstances/status - serviceinstances/reference - servicebindings/status verbs: - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - create - watch - patch - update - delete - deletecollection - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - vke.volcengine.com resources: - cronhpas verbs: - get - list - create - watch - patch - update - delete - deletecollection - apiGroups: - appinspect.elkeid.bytedance.com resources: - secinspectpolicies - secinspectreports - secinspectrunconfigs - secinspectclusterreports verbs: - get - list - watch - apiGroups: - loadbalancer.vke.volcengine.com resources: - albinstances verbs: - create - delete - deletecollection - get - list - patch - update - watch
执行如下,查看vke:visitor
对应的 Kubernetes 权限详情。
kubectl get clusterrole vke:visitor --output=yaml
预期输出结果:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: "2023-05-17T04:03:24Z" labels: app.kubernetes.io/managed-by: Helm rbac.vke.volcengine.com/preset-role: "true" rbac.vke.volcengine.com/version: 1.0.4 name: vke:visitor resourceVersion: "307" uid: 0174b6f8-cde5-411d-bb01-b34f******** rules: - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - get - list - watch - apiGroups: - "" resources: - endpoints - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - services/proxy - namespaces - nodes - persistentvolumes - limitranges - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - events - replicationcontrollers/status - pods/log - pods/status verbs: - get - list - watch - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - controllerrevisions verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - '*' verbs: - get - list - watch - apiGroups: - servicecatalog.k8s.io resources: - clusterserviceclasses - clusterserviceplans - clusterservicebrokers - serviceinstances - servicebindings verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - vke.volcengine.com resources: - cronhpas verbs: - get - list - watch - apiGroups: - appinspect.elkeid.bytedance.com resources: - secinspectpolicies - secinspectreports - secinspectrunconfigs - secinspectclusterreports verbs: - get - list - watch - apiGroups: - loadbalancer.vke.volcengine.com resources: - albinstances verbs: - get - list - watch