k8s中如何授权 pod 内可以访问指定的 ConfigMap

2021-01-25 11:06发布

问题:

在一个 kubernetes 集群中,想授权 production 中的所有 pod 可以直接访问名为 appsettings.shared.json 的 ConfigMap(无需mount这个ConfigMap),请问如何实现?

回答1:

通过添加 Role 与 RoleBinding 搞定了

1)创建 Role 配置文件 configmap-reader-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: configmap-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resourceNames:
    - appsettings.shared.json
  resources:
    - configmaps
  verbs:
    - get

2)在集群中添加该 Role

kubectl apply -f configmap-reader-role.yaml

3)创建 configmap-reader-rolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-configmap
  namespace: production
subjects:
- kind: ServiceAccount
  name: default
roleRef:
  kind: Role 
  name: configmap-reader # this must match the name of the Role you wish to bind to
  apiGroup: rbac.authorization.k8s.io

注:default 是 pod 的默认 ServiceAccount

4)在集群中添加该 RoleBinding

kubectl apply -f configmap-reader-rolebinding.yaml


标签: k8s