34 lines
1.1 KiB
YAML
34 lines
1.1 KiB
YAML
# 创建 ServiceAccount(放在任意命名空间,这里用 default 举例)
|
||
apiVersion: v1
|
||
kind: ServiceAccount
|
||
metadata:
|
||
name: jenkins-deployer
|
||
namespace: default # 明确 ServiceAccount 所在的命名空间(必填)
|
||
---
|
||
|
||
# 为 test-lessie 命名空间创建 Role(仅允许操作 test-lessie 下的资源)
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: Role
|
||
metadata:
|
||
name: jenkins-test-role
|
||
namespace: test-lessie # 绑定到 test-lessie 命名空间
|
||
rules:
|
||
- apiGroups: ["", "apps", "extensions"]
|
||
resources: ["pods", "deployments", "services", "configmaps", "secrets"]
|
||
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||
---
|
||
|
||
# 将 test-lessie 命名空间的 Role 绑定到 ServiceAccount
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: RoleBinding
|
||
metadata:
|
||
name: jenkins-test-binding
|
||
namespace: test-lessie # 与 Role 同命名空间
|
||
subjects:
|
||
- kind: ServiceAccount
|
||
name: jenkins-deployer
|
||
namespace: default # 注意:这里是 SA 所在的命名空间(default)
|
||
roleRef:
|
||
apiGroup: rbac.authorization.k8s.io
|
||
kind: Role
|
||
name: jenkins-test-role |