RBAC Manager 是一个使用自定义资源对 RBAC 进行声明式配置的 Operator,它的目标是简化 Kubernetes 的授权,减少授权所需的配置量,使其更易扩展。例如, 有如下两个原生的 RoleBinding 配置清单:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: joe-web
namespace: web
subjects:
- kind: User
name: joe@example.com
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: joe-api
namespace: api
subjects:
- kind: User
name: joe@example.com
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
使用 RBAC Manager 后只需一个自定义资源即可实现相同的授权:
apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
name: joe-access
rbacBindings:
- name: joe
subjects:
- kind: User
name: joe@example.com
roleBindings:
- namespace: api
clusterRole: view
- namespace: web
clusterRole: edit