RBAC 限制动态PV - 《kubesphere》

现状：
目前集群使用nfs 使用了StorageClass pvc动态申请pv

需求限制用户动态申请pv

[root@UR-20210425NAMA d]# kubectl get clusterrole kubesphere-nfs-client-nfs-client-provisioner-runner
NAME                                                  CREATED AT
kubesphere-nfs-client-nfs-client-provisioner-runner   2021-05-20T08:52:47Z
[root@UR-20210425NAMA d]# kubectl describe clusterrole kubesphere-nfs-client-nfs-client-provisioner-runner
Name:         kubesphere-nfs-client-nfs-client-provisioner-runner
Labels:       app=nfs-client-provisioner
              app.kubernetes.io/managed-by=Helm
              chart=nfs-client-provisioner-1.2.11
              heritage=Helm
              release=kubesphere-nfs-client
Annotations:  meta.helm.sh/release-name: kubesphere-nfs-client
              meta.helm.sh/release-namespace: kube-system
PolicyRule:
  Resources                      Non-Resource URLs  Resource Names  Verbs
  ---------                      -----------------  --------------  -----
  events                         []                 []              [create update patch]
  persistentvolumes              []                 []              [get list watch create delete]
  persistentvolumeclaims         []                 []              [get list watch update]
  storageclasses.storage.k8s.io  []                 []              [get list watch]
[root@UR-20210425NAMA d]#

[root@UR-20210425NAMA d]# kubectl get globalrolebindings liweiming-platform-admin
NAME                       AGE
liweiming-platform-admin   41d
[root@UR-20210425NAMA d]# kubectl describe globalrolebindings liweiming-platform-admin
Name:         liweiming-platform-admin
Namespace:
Labels:       iam.kubesphere.io/user-ref=liweiming
              kubefed.io/managed=true
Annotations:  <none>
API Version:  iam.kubesphere.io/v1alpha2
Kind:         GlobalRoleBinding
Metadata:
  Creation Timestamp:  2021-06-21T02:59:30Z
  Generation:          1
  Managed Fields:
    API Version:  iam.kubesphere.io/v1alpha2
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:labels:
          .:
          f:iam.kubesphere.io/user-ref:
          f:kubefed.io/managed:
      f:roleRef:
        .:
        f:apiGroup:
        f:kind:
        f:name:
      f:subjects:
    Manager:         controller-manager
    Operation:       Update
    Time:            2021-06-21T02:59:30Z
  Resource Version:  14058743
  Self Link:         /apis/iam.kubesphere.io/v1alpha2/globalrolebindings/liweiming-platform-admin
  UID:               508d1607-5861-434f-84ed-a076d78db631
Role Ref:
  API Group:  iam.kubesphere.io
  Kind:       GlobalRole
  Name:       platform-admin
Subjects:
  API Group:  rbac.authorization.k8s.io
  Kind:       User
  Name:       liweiming
Events:
  Type    Reason  Age                    From                          Message
  ----    ------  ----                   ----                          -------
  Normal  Synced  8m34s (x140 over 23h)  globalrolebinding-controller  GlobalRoleBinding synced successfully
[root@UR-20210425NAMA d]#

[root@UR-20210425NAMA d]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.13.177:6443
  name: local
contexts:
- context:
    cluster: local
    namespace: default
    user: liweiming
  name: liweiming@local
current-context: liweiming@local
kind: Config
preferences: {}
users:
- name: liweiming
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
[root@UR-20210425NAMA d]#

[root@UR-20210425NAMA d]# kubectl get role
NAME                                     CREATED AT
admin                                    2021-05-20T10:29:23Z
operator                                 2021-05-20T10:29:22Z
role-template-manage-alerting-messages   2021-05-20T10:29:23Z
role-template-manage-alerting-policies   2021-05-20T10:29:22Z
role-template-manage-app-workloads       2021-05-20T10:29:23Z
role-template-manage-configmaps          2021-05-20T10:29:22Z
role-template-manage-custom-monitoring   2021-05-20T10:29:21Z
role-template-manage-members             2021-05-20T10:29:22Z
role-template-manage-project-settings    2021-05-20T10:29:23Z
role-template-manage-roles               2021-05-20T10:29:20Z
role-template-manage-secrets             2021-05-20T10:29:22Z
role-template-manage-serviceaccount      2021-06-18T14:55:11Z
role-template-manage-snapshots           2021-05-20T10:29:23Z
role-template-manage-volumes             2021-05-20T10:29:23Z
role-template-view-alerting-messages     2021-05-20T10:29:20Z
role-template-view-alerting-policies     2021-05-20T10:29:23Z
role-template-view-app-workloads         2021-05-20T10:29:21Z
role-template-view-basic                 2021-05-20T10:29:23Z
role-template-view-configmaps            2021-05-20T10:29:23Z
role-template-view-custom-monitoring     2021-05-20T10:29:20Z
role-template-view-members               2021-05-20T10:29:23Z
role-template-view-roles                 2021-05-20T10:29:23Z
role-template-view-secrets               2021-05-20T10:29:21Z
role-template-view-serviceaccount        2021-06-18T14:55:11Z
role-template-view-snapshots             2021-05-20T10:29:22Z
role-template-view-volumes               2021-05-20T10:29:23Z
viewer                                   2021-05-20T10:29:23Z
[root@UR-20210425NAMA d]#

[root@UR-20210425NAMA d]# kubectl get role admin
NAME    CREATED AT
admin   2021-05-20T10:29:23Z
[root@UR-20210425NAMA d]# kubectl describe role admin
Name:         admin
Labels:       <none>
Annotations:  iam.kubesphere.io/aggregation-roles:
                ["role-template-view-members","role-template-manage-members", "role-template-view-roles","role-template-manage-roles", "role-template-view...
              kubesphere.io/creator: system
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [*]
[root@UR-20210425NAMA d]# kubectl describe role viewer
Name:         viewer
Labels:       <none>
Annotations:  iam.kubesphere.io/aggregation-roles:
                ["role-template-view-members","role-template-view-roles", "role-template-view-app-workloads","role-template-view-custom-monitoring", "role...
              kubesphere.io/creator: system
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  *.*        []                 []              [get list watch]
[root@UR-20210425NAMA d]#

[root@UR-20210425NAMA d]# kubectl -n scp-dev  get rolebindings.rbac.authorization.k8s.io
NAME                     ROLE            AGE
liweiming-admin          Role/admin      18d
pipeline-user-operator   Role/operator   12d
wuxinghua-admin          Role/admin      9d
[root@UR-20210425NAMA d]# kubectl -n scp-dev  describe rolebindings.rbac.authorization.k8s.io  liweiming-admin
Name:         liweiming-admin
Labels:       iam.kubesphere.io/user-ref=liweiming
Annotations:  <none>
Role:
  Kind:  Role
  Name:  admin
Subjects:
  Kind  Name       Namespace
  ----  ----       ---------
  User  liweiming
[root@UR-20210425NAMA d]#