8.5.2. Bearer Auth
默认情况下,如果没有指定身份验证,代理将使用 bearer 令牌身份验证(Bearer Auth)。Bearer Auth 使用 Kubernetes apiserver 库的委托身份验证。
配置通过 Kubernetes RBAC 角色和角色绑定授予对 URL 前缀的访问权限。代理添加了配置选项 cluster_url 以指定 url_prefix。这个值默认为 openshift-ansible-service-broker。
集群角色示例
- apiVersion: authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: access-asb-role
rules:
- nonResourceURLs: ["/ansible-service-broker", "/ansible-service-broker/*"]
verbs: ["get", "post", "put", "patch", "delete"]
8.5.2.1. 部署模板和 Secret
以下是创建服务目录可以使用的 secret 的示例。本例假定角色 access-asb-role 已创建。来自部署模板:
- apiVersion: v1
kind: ServiceAccount
metadata:
name: ansibleservicebroker-client
namespace: openshift-ansible-service-broker
- apiVersion: authorization.openshift.io/v1
kind: ClusterRoleBinding
metadata:
name: ansibleservicebroker-client
subjects:
- kind: ServiceAccount
name: ansibleservicebroker-client
namespace: openshift-ansible-service-broker
roleRef:
kind: ClusterRole
name: access-asb-role
- apiVersion: v1
kind: Secret
metadata:
name: ansibleservicebroker-client
annotations:
kubernetes.io/service-account.name: ansibleservicebroker-client
type: kubernetes.io/service-account-token上例中会创建一个服务帐户,授予 access-asb-role 的访问权限,并为该服务帐户令牌创建 secret。
