Set Volume Permissions in Multi-Tenant Kubernetes Cluster

流过昼夜 提交于 2019-12-11 04:14:15

问题


Situation:
- users A, B, C, D
- team 1: user A, user B
- team 2: user C, user D

Desired:
- each user has private volume
- each team has a shared volume --> users in team can see shared volume
- some users, based on permission, can see both shared volumes

Searched for quite some time now, do not see a solution in the Docs.

Ideas:
- Use Namespaces! problem --> can no longer see shared volume of other Namespace


回答1:


This is an example of how you would do it. You can use namespaces for the different teams.

Then you can use a Role for each volume and assign to users accordingly. (Roles are namespaced). A sample Role would be:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: team1
  name: volume-access
rules:
- apiGroups: [""]
  resources: ["persistentvolume", "persistentvolumeclaims"]
  resourceNames: ["my-volume"]
  verbs: ["update", "get", "list", "patch", "watch"]

Then your binding would be something like:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pv-binding
  namespace: team1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: volume-access
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: usera
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: userb

The above would be shared by user A and user B. You can create separate roles for the volume that is private.



来源:https://stackoverflow.com/questions/54393001/set-volume-permissions-in-multi-tenant-kubernetes-cluster

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!