RBACMaager是一个使用自定义资源对RBAC进行声明式配置的Operator,它的目标是简化Kuberetes的授权,减少授权所需的配置量,使其更易扩展。例如,有如下两个原生的RoleBidig配置清单:
kid: RoleBidigapiVersio: rbac.authorizatio.k8s.io/v1metadata: ame: joe-web amespace: websubjects:- kid: User ame: joe@example.comroleRef: kid: ClusterRole ame: edit apiGroup: rbac.authorizatio.k8s.iokid: RoleBidigapiVersio: rbac.authorizatio.k8s.io/v1metadata: ame: joe-api amespace: apisubjects:- kid: User ame: joe@example.comroleRef: kid: ClusterRole ame: view apiGroup: rbac.authorizatio.k8s.io使用RBACMaager后只需一个自定义资源即可实现相同的授权:
apiVersio: rbacmaager.reactiveops.io/v1beta1kid: RBACDefiitiometadata: ame: joe-accessrbacBidigs: - ame: joe subjects: - kid: User ame: joe@example.com roleBidigs: - amespace: api clusterRole: view - amespace: web clusterRole: edit
评论