apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: csr-signer rules: - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - list - watch - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests/status verbs: - update - apiGroups: - certificates.k8s.io resources: - signers resourceNames: - example.com/my-signer-name # example.com/* 可用于为 “example.com” 域中的所有签名者授权 verbs: - sign