我在启用了rbac的GKE中设置了k8s集群,然后将Istio安装到集群中 .
我按照此步骤(link)为Istio ingress控制器创建密钥/证书,密钥/证书存储为秘密,其名称为istio-ingress-certs .
现在我想使用RBAC来限制对istio-ingress-certs的访问,以便允许istio-system中的每个组件读取秘密,但是没有人可以修改或删除它 .
我创建了一个secrets-rbac.yaml文件,并运行kubectl apply -f secrets-rbac.yaml,它创建一个角色来读取秘密,并将此角色绑定到istio-system命名空间中的所有serviceaccounts .
验证不允许serviceaccount修改istio-ingress-certs . 我用这个命令来测试 . kubectl auth can-i edit secrets / istio-ingress-certs -n istio-system --as system:serviceaccount:istio-system:istio-pilot-service-account
我希望该命令将返回false,但它返回true . 我想我没有在yaml文件中正确设置rbac,但我不清楚哪个部分不正确 .
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: istio-system
name: istio-ingress-certs-reader
rules:
- apiGroups: ["*"]
resources: ["secrets"]
resourceNames: ["istio-ingress-certs"]
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: istio-system
name: read-istio-ingress-certs
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istio-ingress-certs-reader
subjects:
- kind: Group
name: system:serviceaccounts:istio-system
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:unauthenticated
apiGroup: rbac.authorization.k8s.io