Kubernetes Prow Robot
GitHub
commit
de9fb7ba65
|
|
@ -559,6 +559,50 @@ For example, `kubectl get configmaps --field-selector=metadata.name=my-configmap
|
|||
例如,`kubectl get configmaps --field-selector=metadata.name=my-configmap`
|
||||
{{< /note >}}
|
||||
|
||||
<!--
|
||||
Rather than referring to individual `resources` and `verbs`
|
||||
you can use the wildcard `*` symbol to refer to all such objects.
|
||||
For `nonResourceURLs` you can use the wildcard `*` symbol as a suffix glob match and
|
||||
for `apiGroups` and `resourceNames` an empty set means that everything is allowed.
|
||||
Here is an example that allows access to perform any current and future action on
|
||||
all current and future resources (note, this is similar to the built-in `cluster-admin` role).
|
||||
-->
|
||||
使用通配符 `*` 可以批量引用所有的 `resources` 和 `verbs` 对象,无需逐一引用。
|
||||
对于 `nonResourceURLs`,可以将通配符 `*` 作为后缀实现全局通配,
|
||||
对于 `apiGroups` 和 `resourceNames`,空集表示没有任何限制。
|
||||
下面的示例允许对所有当前和未来资源执行所有动作(注意,这类似于内置的 `cluster-admin`)。
|
||||
|
||||
```yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
namespace: default
|
||||
name: example.com-superuser # 此角色仅作示范,请勿使用
|
||||
rules:
|
||||
- apiGroups: ["example.com"]
|
||||
resources: ["*"]
|
||||
verbs: ["*"]
|
||||
```
|
||||
|
||||
{{< caution >}}
|
||||
<!--
|
||||
Using wildcards in resource and verb entries could result in
|
||||
overly permissive access being granted to sensitive resources.
|
||||
For instance, if a new resource type is added, or a new subresource is added,
|
||||
or a new custom verb is checked, the wildcard entry automatically grants access,
|
||||
which may be undesirable.
|
||||
The [principle of least privilege](/docs/concepts/security/rbac-good-practices/#least-privilege)
|
||||
should be employed, using specific resources and verbs to ensure
|
||||
only the permissions required for the workload to function correctly are applied.
|
||||
-->
|
||||
在 resources 和 verbs 条目中使用通配符会为敏感资源授予过多的访问权限。
|
||||
例如,如果添加了新的资源类型、新的子资源或新的自定义动词,
|
||||
通配符条目会自动授予访问权限,用户可能不希望出现这种情况。
|
||||
应该执行[最小特权原则](zh-cn/docs/concepts/security/rbac-good-practices/#least-privilege),
|
||||
使用具体的 resources 和 verbs 确保仅赋予工作负载正常运行所需的权限。
|
||||
{{< /caution >}}
|
||||
|
||||
|
||||
<!--
|
||||
### Aggregated ClusterRoles
|
||||
|
||||
|
|
@ -2331,7 +2375,7 @@ This is not a recommended policy.
|
|||
-->
|
||||
下面的策略允许 **所有** 服务帐户充当集群管理员。
|
||||
容器中运行的所有应用程序都会自动收到服务帐户的凭据,可以对 API 执行任何操作,
|
||||
包括查看 Secrets 和修改权限。这一策略是不被推荐的。
|
||||
包括查看 Secret 和修改权限。这一策略是不被推荐的。
|
||||
|
||||
```shell
|
||||
kubectl create clusterrolebinding permissive-binding \
|
||||
|
|
|
|||
Loading…
Reference in New Issue