解决了

卡内邦的存储类用户

  • 2019年8月26日
  • 5回复
  • 2333次观点
W.
我正在尝试使用Karbon配置新的Kubernetes群集。当我到达配置存储类的阶段时,我提示输入用户名和密码。我不确定我应该在这里进入哪个用户,因为我曾经尝试过的少数似乎没有工作。群集设置教程视频显示用户名`admin`,似乎建议使用非常高度特权的用户,这似乎对我不必要。如何创建存储类所需的最小权限的用户?
图标

最好的答案vshuguet.2019年8月27日,18:35

@wfhartford<\/user-mention> ,
\n
\nThe long term solution (no dates\/times, as all of those things changes) is to bring the Volumes API, which is what the CSI driver uses to provision a PVC, up to Prism Central level, and add RBAC to that.
\n
\nUntil that happen, we're using what is available on PE, which in this case is Cluster Admin.","className":"post__content__best_answer"}">
查看原件
此主题已关闭征询意见

5回复

josenutanix
秩
UserLevel 4.
徽章 +5
您需要在Prism元素级别具有群集管理角色的用户。根据您将用于存储的PE群集,您需要一个用户。
何塞戈麦斯|技术营销工程师|jose.gomez@nutanix.com |@ pipoe2h.
W.
因此,存储类的最不特权可能的用户对群集完全控制?这对我来说似乎有点安全风险,是否有计划引入更多的粒度安全控制,以便一个受损的容器不能导致攻击者接管整个群集?
vshuguet.
秩
UserLevel 1.
徽章 +4
你好 @wfhartford.

长期解决方案(没有日期/次,因为所有这些事情都发生了变化)是使卷API,这是CSI驱动程序用于提供PVC,直到棱镜中央级别,并将RBAC添加到那个中。

直到发生,我们正在使用PE上可用的内容,在这种情况下是群集管理员。
产品经理 - Karbon Clusters&Kubernetes @ nutanix
@wfhartford<\/user-mention> ,
\n
\nThe long term solution (no dates\/times, as all of those things changes) is to bring the Volumes API, which is what the CSI driver uses to provision a PVC, up to Prism Central level, and add RBAC to that.
\n
\nUntil that happen, we're using what is available on PE, which in this case is Cluster Admin.","quoteUsername":"vshuguet","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
W.
好的,很高兴知道这里有计划。我是Nutanix的新手,所以各种类型的用户和他们被管理的地方有点令人困惑。它听起来像是在正确的方向上移动。

谢谢
\n
\nThanks","quoteUsername":"wfhartford","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
vshuguet.
秩
UserLevel 1.
徽章 +4
为您提供一个想法,PE(棱镜元素)是我们的单簇管理平面。这是我们在多年前开始的地方,但它在角色/ RBAC功能方面也有限。

PC(棱镜中央)我们的多集群管理平面是我们正在移动我们所有的管理功能,以及我们所有新产品集成的地方。它具有高级的RBAC功能。

目前的情况是由于曾经生活在PE的移动功能的过渡期,直到PC。
产品经理 - Karbon Clusters&Kubernetes @ nutanix
\n
\nPC (Prism Central), our multi-cluster management plane, is where we're moving all of our management features and also where all of our new products integrate. It has advanced RBAC capabilities.
\n
\nThe current situation is born because of that transition period of moving functionalities that used to live in PE, up to PC.","quoteUsername":"vshuguet","translations":{"Common":{"like":"Like","unlike":"Unlike"},"Forum":{"Quote":"Quote","Share":"Share"}}}">
条款和条件
Learn more about our cookies.<\/a>","cookiepolicy.button":"Accept cookies","cookiepolicy.button.deny":"Deny all","cookiepolicy.link":"Cookie settings","cookiepolicy.modal.title":"Cookie settings","cookiepolicy.modal.content":"We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.<\/a>","cookiepolicy.modal.level1":"Basic
Functional","cookiepolicy.modal.level2":"Normal
Functional + analytics","cookiepolicy.modal.level3":"Complete
Functional + analytics + social media + embedded videos"}}}">
Baidu