如何将内部OIDC组映射到外部K8s集群角色

分享于 

1分钟阅读

互联网

  繁體

问题:

我认为这两个yaml应该做相应的映射,


apiVersion: rbac.authorization.k8s.io/v1


kind: ClusterRoleBinding


metadata:


 name: devops-cluster-admin


 namespace: kubernetes-dashboard


roleRef:


 apiGroup: rbac.authorization.k8s.io


 kind: ClusterRole


 name: cluster-admin


subjects:


- apiGroup: rbac.authorization.k8s.io


 kind: Group


 name: devopstales



kind: RoleBinding


apiVersion: rbac.authorization.k8s.io/v1


subjects:


- kind: User


 name: "devopstales"


 namespace: "kube-system"


roleRef:


 apiGroup: rbac.authorization.k8s.io


 kind: ClusterRole


 name: cluster-admin



如何在OIDC角色/组和K8s角色之间实现角色映射?


答案1:

你要指定--oidc-groups-claim=,其中JWT声明包含标识认证用户所属组的字符串列表,然后在RBAC中引用这些名称



INT  ext  Intern  集群  Group  Extern