DocsICP FilingConsole
官方文档
首页

Create a custom RBAC role

更新时间:
复制 MD 格式
产品详情
我的收藏

A Kubernetes-native Role or ClusterRole used in Role-Based Access Control (RBAC) defines a set of permissions. A Role defines permissions scoped to a namespace. A ClusterRole defines permissions on cluster-scoped resources. This topic describes how to customize a Role and a ClusterRole.

Introduction to Roles and ClusterRoles

You can create a Role or ClusterRole by using a YAML file or the Alibaba Cloud Container Compute Service (ACS) console.

Create a Role

To define permissions scoped to a namespace, create a Role.

The following YAML example shows a Role in the default namespace that grants full permissions on pods.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-role
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

Create a ClusterRole

To define cluster-wide permissions, create a ClusterRole.

The following YAML template provides an example on how to create a ClusterRole. You can use this ClusterRole to grant full permissions on pods in a namespace. 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

For more information about Roles and ClusterRoles, seeRole and ClusterRole.

Create a custom RBAC role

Note

This section shows how to create a custom ClusterRole for a Resource Access Management (RAM) user or RAM role. The steps to create a ClusterRole are similar to the steps to create a Role.

  1. Log on to the ACS console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Security > Role.

  3. On the Role page, click the Cluster Role tab.

  4. On the Cluster Role tab, click Create.

  5. In the Create YAML panel, enter the YAML for your custom policy and click OK.

    This example uses the YAML from the ClusterRole: cluster-scoped permissions section in Permission policies. After the ClusterRole is created, you can find the custom ClusterRole test-clusterrole on the Cluster Role tab.

What to do next

For more information about how to assign RBAC roles to RAM users or RAM roles, see Grant RBAC permissions to RAM users or RAM roles.

Previous:Grant RAM permissionsNext:Configure RBAC permissions for RAM users or roles