RBAC 指南

apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: production name: pod-reader rules: - apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: alice-pod-reader namespace: production subjects: - kind: User name: alice apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io

apiVersion: v1 kind: ServiceAccount metadata: name: myapp-sa namespace: production annotations: # AWS IRSA eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/MyAppRole --- # Pod 使用 ServiceAccount spec: serviceAccountName: myapp-sa automountServiceAccountToken: false # 测试权限（模拟身份） kubectl auth can-i list pods \ --as=system:serviceaccount:production:myapp-sa

# 创建自动聚合到 view 的角色 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-to-view labels: rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: ["custom.example.com"] resources: ["myresources"] verbs: ["get", "list", "watch"]