Set Volume Permissions in Multi-Tenant Kubernetes

2019-08-13 00:15发布

Situation:
- users A, B, C, D
- team 1: user A, user B
- team 2: user C, user D

Desired:
- each user has private volume
- each team has a shared volume --> users in team can see shared volume
- some users, based on permission, can see both shared volumes

Searched for quite some time now, do not see a solution in the Docs.

Ideas:
- Use Namespaces! problem --> can no longer see shared volume of other Namespace

标签： kubernetes kubernetes-helm jupyterhub kubernetes-pvc

1条回答

姐就是有狂的资本

2楼-- · 2019-08-13 01:06

This is an example of how you would do it. You can use namespaces for the different teams.

Then you can use a Role for each volume and assign to users accordingly. (Roles are namespaced). A sample Role would be:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: team1
  name: volume-access
rules:
- apiGroups: [""]
  resources: ["persistentvolume", "persistentvolumeclaims"]
  resourceNames: ["my-volume"]
  verbs: ["update", "get", "list", "patch", "watch"]

Then your binding would be something like:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pv-binding
  namespace: team1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: volume-access
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: usera
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: userb

The above would be shared by user A and user B. You can create separate roles for the volume that is private.

0人赞添加讨论(0) 举报

Set Volume Permissions in Multi-Tenant Kubernetes

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间