问题
Situation:
- users A, B, C, D
- team 1: user A, user B
- team 2: user C, user D
Desired:
- each user has private volume
- each team has a shared volume --> users in team can see shared volume
- some users, based on permission, can see both shared volumes
Searched for quite some time now, do not see a solution in the Docs.
Ideas:
- Use Namespaces! problem --> can no longer see shared volume of other Namespace
回答1:
This is an example of how you would do it. You can use namespaces for the different teams.
Then you can use a Role for each volume and assign to users accordingly. (Roles are namespaced). A sample Role would be:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: team1
name: volume-access
rules:
- apiGroups: [""]
resources: ["persistentvolume", "persistentvolumeclaims"]
resourceNames: ["my-volume"]
verbs: ["update", "get", "list", "patch", "watch"]
Then your binding would be something like:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pv-binding
namespace: team1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: volume-access
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: usera
- apiGroup: rbac.authorization.k8s.io
kind: User
name: userb
The above would be shared by user A and user B. You can create separate roles for the volume that is private.
来源:https://stackoverflow.com/questions/54393001/set-volume-permissions-in-multi-tenant-kubernetes-cluster