Kubernetes 云账号的最小权限要求

若希望在 Kubernetes 场景下(K8s 云账号)完成应用发布,CODING 持续部署需要调用相关的 Kubernetes APIs。CODING 团队不推荐您将 Kubernetes 集群所有权限皆授予 CODING CD;得益于 Kubernetes 的 RBAC(Role Based Access Control)机制,您可以给 CODING CD 配置应用发布所需的最小权限。下文是配置最小权限的指引。

Role

CODING 推荐您在需要开放权限的命名空间中创建 Role,并将 ServiceAccountRole 进行绑定。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: coding-cd-role
rules:
- apiGroups: [""]
  resources: ["namespaces", "configmaps", "events", "replicationcontrollers", "serviceaccounts", "pods/logs"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["pods", "pods/portforward", "services", "services/proxy", "secrets"]
  verbs: ["*"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["list", "get"]
- apiGroups: ["apps"]
  resources: ["controllerrevisions", "statefulsets"]
  verbs: ["list"]
- apiGroups: ["extensions", "app", "apps"]
  resources: ["deployments", "replicasets", "ingresses", "daemonsets"]
  verbs: ["*"]

Service Account

下一步是为 CODING CD 创建一个 Service Account,持续部署控制台将会用此 Service Account 与 Kubernetes 集群交互。您可以使用如下的 manifest 创建 Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
 name: coding-cd-service-account
 namespace: default

Role Binding

最后,创建一个 RoleBinding 将上述的 coding-cd-rolecoding-cd-service-account 进行绑定。

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 name: coding-cd-role-binding
 namespace: webapp
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: Role
 name: coding-cd-role
subjects:
- namespace: default
 kind: ServiceAccount
 name: coding-cd-service-account
上一篇部署 Kubernetes 资源时拉取私有库镜像
文档是否对您有用?
感谢反馈有用
感谢反馈没用