RBAC | 一个SSM写的权限管理系统，RBAC权限模型，zTree刷权限树，动态生成权限菜单

In this scenario in order to successfully execute this command:

You need to add the scope of this service principal and also change the Azure role of this Service Principal to 'User Access Administrator' to enable you to modify resources in Azure AD. Also, 'User Access Administrator' role will give the service principal the required permissions for that Azure role to assign RBAC permissions. Please refer the below command for more details: -

The solution for the issue is to regenerate the kubeconfig file for the admin:

Looks like there is namespace mismatch however you can try this below option

What you have defined is only control the service account. Here's a tested spec; create a yaml file with:

You just need to convert the array properties Team Users and Team Access into multi-line strings (being arrays is also why you see System.Object[] when you export your object).

How can to convert the array into multi-line string?

• $array -join [environment]::NewLine
• $array -join "`r`n"
• ($array | Out-String).TrimEnd()

And others...

It has to do with Kubernetes controllers & CustomResourceDefinition.

When you write an operator for Kubernetes, you would define custom objects. For example, Elastic (www.elastic.co) has an operator deploying ElasticSearch/Kibana. They decided to call one of their object "elasticsearch".

Those resource names are arbitrary, and nothing guarantee there won't be someone else, working on its own operator, using the same names. Thus, when you define your custom resources, you would also affect them with an API group.

The API group is also arbitrary, though would usually identify a unique controller/operator/set of functionality. In the case of the ElasticSearch operator, they went with an API group "k8s.elastic.co". When installing this operator CRD on your cluster, a kubectl get crd would list objects such as "elasticsearchs.k8s.elastic.co", "kibanas.k8s.elastic.co".

You could very well deploy another operator, which implements its own "elasticsearch" or "kibana" objects, within its own API group.

Thus, when you write your Roles / ClusterRoles, that apiGroup field is crucial configuring your RBAC. The resources array lists short names, the apiGroup is then used resolving the fully qualified CRD name.

While kubernetes legacy objects use some empty string, other native objects may use networking.k8s.io, batch, extensions, ... In the meantime, custom controllers would all use their own api group, whenever they rely on their own CRDs.

Now, I'm not sure I know the answer to 'why I can use "" and "events.k8s.io" together?'. I would say it's historic?

I did not see any cases where setting multiple api groups in a rule was benefic. In my opinion, it's misleading, a source of mistake, ... when you find a rule with two api groups, you can be pretty sure the person who wrote it did not understand what they were doing.

At best, one combination of apigroup / resource grants what you meant to. Worst case, one combination of apigroup / resource grants something you did not want to allow in the first place.

Erratum: events are an exception, though. As pointed out in some kubernetes GitHub Issue ( https://github.com/kubernetes/kubernetes/issues/94857 ), some member would argue this is not a bug: we really need both API groups. Which is kind of surprising.

Not sure why would that be. Sidenote, the schema for Event in core/v1 and events.k8s.io isn't the same:

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#event-v1-events-k8s-io https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#event-v1-core

So they're not the same object strictly speaking, although from what I can see, they return the same data / in terms of etcd, it's the same data, with two JSON representations depending on which api group you query:

In the official documentation you can find the following section:

Kubernetes uses client certificates, bearer tokens, or an authenticating proxy to authenticate API requests through authentication plugins. As HTTP requests are made to the API server, plugins attempt to associate the following attributes with the request:

• Username: a string which identifies the end user. Common values might be kube-admin or jane@example.com.
• UID: a string which identifies the end user and attempts to be more consistent and unique than username.
• Groups: a set of strings, each of which indicates the user's membership in a named logical collection of users. Common values might be system:masters or devops-team.
• Extra fields: a map of strings to list of strings which holds additional information authorizers may find useful.

All values are opaque to the authentication system and only hold significance when interpreted by an authorizer.

You can enable multiple authentication methods at once. You should usually use at least two methods:

• service account tokens for service accounts
• at least one other method for user authentication.

When multiple authenticator modules are enabled, the first module to successfully authenticate the request short-circuits evaluation. The API server does not guarantee the order authenticators run in.

The system:authenticated group is included in the list of groups for all authenticated users.

Integrations with other authentication protocols (LDAP, SAML, Kerberos, alternate x509 schemes, etc) can be accomplished using an authenticating proxy or the authentication webhook.

As you can see to add SAML to your configuration you can use authenticating proxy or the authentication webhook.

If you search an example how to set SAML in Kubernetes, you can read this article.

However, in the vast majority of cases, SAML will extend (rather than replace) the RBAC functionality. See also article How SAML 2.0 Authentication Works?

If a resource was stored when the newer API version (v1) did not exist yet, would this be a problem when the older API version (v1beta1) is removed?

Kubernetes supports a huge elastic deprecation system, which allows you to create, migrate and maintain API versions in time, however(jumping to your next question, you should sometimes manually upgrade API versions to up-to-date ones)

You can check Kubernetes Deprecation Policy guide, that is very important part of keeping cluster in work condition.

Main rules:

• Rule #1: API elements may only be removed by incrementing the version of the API group.
• Rule #2: API objects must be able to round-trip between API versions in a given release without information loss, with the exception of whole REST resources that do not exist in some versions.
• Rule #3: An API version in a given track may not be deprecated until a new API version at least as stable is released.
• Rule #4a: Other than the most recent API versions in each track, older API versions must be supported after their announced deprecation for a certain duration.
• Rule #4b: The "preferred" API version and the "storage version" for a given group may not advance until after a release has been made that supports both the new version and the previous version

You can check also table that describes which API versions are supported in a series of subsequent releases.

Would upgrading to Kubernetes v1.22, which removes rbac.authorization.k8s.io/v1beta1, break already created/stored resources?

I think yes and you have to do some actions according to 1.22 RBAC deprecation resources

How are resource transformations between different API versions handled?

Check What to do

• Test with deprecated APIs disabled

• Locate use of deprecated APIs

• Migrate to non-deprecated APIs