Set Volume Permissions in Multi-Tenant Kubernetes

2019-08-13 00:54发布

问题:

Situation:
- users A, B, C, D
- team 1: user A, user B
- team 2: user C, user D

Desired:
- each user has private volume
- each team has a shared volume --> users in team can see shared volume
- some users, based on permission, can see both shared volumes

Searched for quite some time now, do not see a solution in the Docs.

Ideas:
- Use Namespaces! problem --> can no longer see shared volume of other Namespace

回答1:

This is an example of how you would do it. You can use namespaces for the different teams.

Then you can use a Role for each volume and assign to users accordingly. (Roles are namespaced). A sample Role would be:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: team1
  name: volume-access
rules:
- apiGroups: [""]
  resources: ["persistentvolume", "persistentvolumeclaims"]
  resourceNames: ["my-volume"]
  verbs: ["update", "get", "list", "patch", "watch"]

Then your binding would be something like:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pv-binding
  namespace: team1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: volume-access
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: usera
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: userb

The above would be shared by user A and user B. You can create separate roles for the volume that is private.