enable copying rolebinding examples directly
This commit is contained in:
Naresh Koduru
parent
4ae01a8a13
commit
8b78fb8239
|
|
@ -123,25 +123,7 @@ Here is an example of a RoleBinding that grants the "pod-reader" Role to the use
|
|||
within the "default" namespace.
|
||||
This allows "jane" to read pods in the "default" namespace.
|
||||
|
||||
```yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
# This role binding allows "jane" to read pods in the "default" namespace.
|
||||
# You need to already have a Role named "pod-reader" in that namespace.
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: read-pods
|
||||
namespace: default
|
||||
subjects:
|
||||
# You can specify more than one "subject"
|
||||
- kind: User
|
||||
name: jane # "name" is case sensitive
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
# "roleRef" specifies the binding to a Role / ClusterRole
|
||||
kind: Role #this must be Role or ClusterRole
|
||||
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
```
|
||||
{{% code_sample file="access/simple-rolebinding-with-role.yaml" %}}
|
||||
|
||||
A RoleBinding can also reference a ClusterRole to grant the permissions defined in that
|
||||
ClusterRole to resources inside the RoleBinding's namespace. This kind of reference
|
||||
|
|
@ -152,26 +134,7 @@ For instance, even though the following RoleBinding refers to a ClusterRole,
|
|||
"dave" (the subject, case sensitive) will only be able to read Secrets in the "development"
|
||||
namespace, because the RoleBinding's namespace (in its metadata) is "development".
|
||||
|
||||
```yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
# This role binding allows "dave" to read secrets in the "development" namespace.
|
||||
# You need to already have a ClusterRole named "secret-reader".
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: read-secrets
|
||||
#
|
||||
# The namespace of the RoleBinding determines where the permissions are granted.
|
||||
# This only grants permissions within the "development" namespace.
|
||||
namespace: development
|
||||
subjects:
|
||||
- kind: User
|
||||
name: dave # Name is case sensitive
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: secret-reader
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
```
|
||||
{{% code_sample file="access/simple-rolebinding-with-clusterrole.yaml" %}}
|
||||
|
||||
#### ClusterRoleBinding example
|
||||
|
||||
|
|
@ -179,21 +142,7 @@ To grant permissions across a whole cluster, you can use a ClusterRoleBinding.
|
|||
The following ClusterRoleBinding allows any user in the group "manager" to read
|
||||
secrets in any namespace.
|
||||
|
||||
```yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: read-secrets-global
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: manager # Name is case sensitive
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: secret-reader
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
```
|
||||
{{% code_sample file="access/simple-clusterrolebinding.yaml" %}}
|
||||
|
||||
After you create a binding, you cannot change the Role or ClusterRole that it refers to.
|
||||
If you try to change a binding's `roleRef`, you get a validation error. If you do want
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: read-secrets-global
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: manager # Name is case sensitive
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: secret-reader
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
# This role binding allows "dave" to read secrets in the "development" namespace.
|
||||
# You need to already have a ClusterRole named "secret-reader".
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: read-secrets
|
||||
#
|
||||
# The namespace of the RoleBinding determines where the permissions are granted.
|
||||
# This only grants permissions within the "development" namespace.
|
||||
namespace: development
|
||||
subjects:
|
||||
- kind: User
|
||||
name: dave # Name is case sensitive
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: secret-reader
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
# This role binding allows "jane" to read pods in the "default" namespace.
|
||||
# You need to already have a Role named "pod-reader" in that namespace.
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: read-pods
|
||||
namespace: default
|
||||
subjects:
|
||||
# You can specify more than one "subject"
|
||||
- kind: User
|
||||
name: jane # "name" is case sensitive
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
# "roleRef" specifies the binding to a Role / ClusterRole
|
||||
kind: Role #this must be Role or ClusterRole
|
||||
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
Loading…
Reference in New Issue