38 lines
1.1 KiB
YAML
38 lines
1.1 KiB
YAML
# 1、创建 ServiceAccount(放在 sit 命名空间)
|
||
apiVersion: v1
|
||
kind: ServiceAccount
|
||
metadata:
|
||
name: sit-user
|
||
namespace: sit # 明确 ServiceAccount 所在的命名空间(必填)
|
||
---
|
||
|
||
# 2、为 sit 命名空间创建 Role
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: Role
|
||
metadata:
|
||
name: sit-user-role
|
||
namespace: sit
|
||
rules:
|
||
- apiGroups: ["", "apps", "extensions", "batch", "networking.k8s.io"]
|
||
resources: ["pods", "pods/log", "pods/exec", "statefulsets", "deployments", "daemonsets", "services", "configmaps", "secrets", "events", "replicasets"]
|
||
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||
- apiGroups: ["metrics.k8s.io"]
|
||
resources: ["pods","nodes"]
|
||
verbs: ["get","list","watch"]
|
||
|
||
---
|
||
# 3、将 apex-evaluation 命名空间的 Role 绑定到 ServiceAccount
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: RoleBinding
|
||
metadata:
|
||
name: sit-user-binding
|
||
namespace: sit
|
||
subjects:
|
||
- kind: ServiceAccount
|
||
name: sit-user
|
||
namespace: sit
|
||
roleRef:
|
||
apiGroup: rbac.authorization.k8s.io
|
||
kind: Role
|
||
name: sit-user-role
|