我正在学习rbac来做访问控制,这是我的角色定义:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: foobar-role
labels:
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "patch"]
该角色允许主体访问机密,但我想知道是否可以限制对特定路径的访问:
apiVersion: v1
data:
keycloak.clientSecret: ...
keycloak.url: ...
user.password: ...
kind: Secret
metadata:
creationTimestamp: "2019-04-21T08:07:21Z"
labels:
app: foobar-ce
heritage: Tiller
release: foobar
name: foobar-secret
namespace: default
resourceVersion: "12348"
selfLink: /api/v1/namespaces/default/secrets/foobar-secret
uid: 7d8775d9-640c-11e9-8327-0242b821d21a
type: Opaque
例如,是否可以仅更改角色
{.data.keycloak\.url}(只读){.data.keycloak\.clientSecret}(只写)您可以限制为单个资源(策略中的resourceNames),但不限于此。我认为API甚至不支持部分访问。