2.5.6. 角色策略
Kubernetes 配置策略控制器负责监控角色策略的状态。在 object-template 中定义角色来为集群中的特定角色设置规则和权限。
在以下部分了解更多有关角色策略结构的详细信息:
2.5.6.1. 角色策略 YAML 结构
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-role
namespace:
annotations:
policy.open-cluster-management.io/standards: NIST-CSF
policy.open-cluster-management.io/categories: PR.AC Identity Management Authentication and Access Control
policy.open-cluster-management.io/controls: PR.AC-4 Access Control
spec:
remediationAction: inform
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-role-example
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: high
namespaceSelector:
exclude: ["kube-*"]
include: ["default"]
object-templates:
- complianceType: mustonlyhave # role definition should exact match
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: sample-role
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "delete","patch"]
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-role
namespace:
placementRef:
name: placement-policy-role
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-role
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-role
namespace:
spec:
clusterConditions:
- type: ManagedClusterConditionAvailable
status: "True"
clusterSelector:
matchExpressions:
[]
...