34 lines
1.1 KiB
YAML
34 lines
1.1 KiB
YAML
|
# 创建 ServiceAccount(放在任意命名空间,这里用 default 举例)
|
|||
|
|
apiVersion: v1
|
|||
|
|
kind: ServiceAccount
|
|||
|
|
metadata:
|
|||
|
|
name: jenkins-deployer
|
|||
|
|
namespace: default # 明确 ServiceAccount 所在的命名空间(必填)
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
# 为 test-lessie 命名空间创建 Role(仅允许操作 test-lessie 下的资源)
|
|||
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
|
kind: Role
|
|||
|
|
metadata:
|
|||
|
|
name: jenkins-test-role
|
|||
|
|
namespace: test-lessie # 绑定到 test-lessie 命名空间
|
|||
|
|
rules:
|
|||
|
|
- apiGroups: ["", "apps", "extensions"]
|
|||
|
|
resources: ["pods", "deployments", "services", "configmaps", "secrets"]
|
|||
|
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
# 将 test-lessie 命名空间的 Role 绑定到 ServiceAccount
|
|||
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|||
|
|
kind: RoleBinding
|
|||
|
|
metadata:
|
|||
|
|
name: jenkins-test-binding
|
|||
|
|
namespace: test-lessie # 与 Role 同命名空间
|
|||
|
|
subjects:
|
|||
|
|
- kind: ServiceAccount
|
|||
|
|
name: jenkins-deployer
|
|||
|
|
namespace: default # 注意:这里是 SA 所在的命名空间(default)
|
|||
|
|
roleRef:
|
|||
|
|
apiGroup: rbac.authorization.k8s.io
|
|||
|
|
kind: Role
|
|||
|
|
name: jenkins-test-role
|