37 lines
1.3 KiB
YAML
37 lines
1.3 KiB
YAML
# 创建 ServiceAccount(放在命名空间)
|
||
apiVersion: v1
|
||
kind: ServiceAccount
|
||
metadata:
|
||
name: apex-user
|
||
namespace: apex-evaluation # 明确 ServiceAccount 所在的命名空间(必填)
|
||
---
|
||
|
||
# 为 apex-evaluation 命名空间创建 Role(仅允许操作 apex-evaluation 下的资源)
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: Role
|
||
metadata:
|
||
name: apex-user-role # Role 名称
|
||
namespace: apex-evaluation # 绑定到 apex-evaluation 命名空间
|
||
rules:
|
||
- apiGroups: ["", "apps", "extensions", "batch", "networking.k8s.io"]
|
||
resources: ["pods", "pods/log", "statefulsets", "deployments", daemonsets, "services", "configmaps", "secrets", "events", "replicasets"]
|
||
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||
- apiGroups: ["metrics.k8s.io"]
|
||
resources: ["pods","nodes"]
|
||
verbs: ["get","list","watch"]
|
||
---
|
||
|
||
# 将 apex-evaluation 命名空间的 Role 绑定到 ServiceAccount
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: RoleBinding
|
||
metadata:
|
||
name: apex-user-binding
|
||
namespace: apex-evaluation # 与 Role 同命名空间
|
||
subjects:
|
||
- kind: ServiceAccount
|
||
name: apex-user
|
||
namespace: apex-evaluation # 注意:这里是 SA 所在的命名空间
|
||
roleRef:
|
||
apiGroup: rbac.authorization.k8s.io
|
||
kind: Role
|
||
name: apex-user-role # 绑定的 Role 名称,与上方 Role 一致 |