kubectl cp
внутренне использует kubectl exec
. Таким образом, RBA C должен находиться на подресурсе exec
pod
.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-copy
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
Затем вы можете создать RoleBinding
, чтобы назначить эту роль учетной записи службы
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: pod-copy-rolebinding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
name: default # "name" is case sensitive
namespace: default #namespace where service account is created
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-copy # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
Это даст учетную запись службы default
в default
пространстве имен для exe c в поды в default
пространстве имен.
То же RoleBinding
может применяться и к user
упоминая это subjects
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: pod-copy-rolebinding
namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
name: Jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-copy # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io