Situation:
- users A, B, C, D
- team 1: user A, user B
- team 2: user C, user D
Desired:
- each user has private volume
- each team has a shared volume --> users in team can see shared volume
- some users, based on permission, can see both shared volumes
Searched for quite some time now, do not see a solution in the Docs.
Ideas:
- Use Namespaces! problem --> can no longer see shared volume of other Namespace
This is an example of how you would do it. You can use namespaces for the different teams.
Then you can use a Role for each volume and assign to users accordingly. (Roles are namespaced). A sample Role would be:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: team1
name: volume-access
rules:
- apiGroups: [""]
resources: ["persistentvolume", "persistentvolumeclaims"]
resourceNames: ["my-volume"]
verbs: ["update", "get", "list", "patch", "watch"]Then your binding would be something like:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pv-binding
namespace: team1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: volume-access
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: usera
- apiGroup: rbac.authorization.k8s.io
kind: User
name: userbThe above would be shared by user A and user B. You can create separate roles for the volume that is private.