$ for i in $(k get clusterrole -o name); do k get $i -o yaml |grep 'aggregationRule' -q && echo $i; done
clusterrole.rbac.authorization.k8s.io/admin
clusterrole.rbac.authorization.k8s.io/edit
clusterrole.rbac.authorization.k8s.io/view
$ kubectl get clusterrole admin -o yaml
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
... 此处省略
$ k get clusterrole -l rbac.authorization.k8s.io/aggregate-to-admin=true
NAME CREATED AT
edit 2021-09-14T03:05:31Z
system:aggregate-to-admin 2021-09-14T03:05:31Z
https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
目的:可以将多个clusterRole 自动的聚合起来成一个聚合cluster role
例子
获取当前聚合cluster Role:
实现原理
在kube-controller-manager里clusterroleaggregation, code