Learning
https://www.icode9.com/content-4-510472.html
https://www.qikqiak.com/k8s-book/docs/30.RBAC.html
每个namespace都会创建默认的sa,名为default
ServiceAccount 会生成一个 Secret 对象和它进行映射,这个 Secret 里面包含一个 token。
kubectl create sa test-sa -n rbac-learning
$ kubectl describe sa -n rbac-learning sa-test
Name: sa-test
Namespace: rbac-learning
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: sa-test-token-9n9mm # secret
Tokens: sa-test-token-9n9mm
Events: <none>
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-test
namespace: rbac-learning
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
kubectl api-resources
如果APIGROUP是空的,则说明使用的是Core APIGROUP,使用空字符:""
读取权限:["get", "list", "watch"]
读/写权限:["get", "list", "watch", "create", "update", "patch", "delete"]
指定特定名称资源的权限:
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["my-config"]
verbs: ["get"]
将创建的sa和role进行绑定:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sa-rolebinding-test
namespace: rbac-learning
subjects:
- kind: ServiceAccount
name: test-sa
namespace: rbac-learning
roleRef:
kind: Role
name: role-test
apiGroup: rbac.authorization.k8s.io
如果我们现在创建一个新的 ServiceAccount,需要他操作的权限作用于所有的 namespace,这个时候我们就需要使用到 ClusterRole 和 ClusterRoleBinding 这两种资源对象了。
admin="admin"
kubectl create serviceaccount ${admin} -n kube-system
kubectl create clusterrolebinding ${admin} --clusterrole=cluster-admin --serviceaccount=kube-system:${admin}
Step 1:创建一个ServiceAccount
kubectl create sa -n kube-system clusteradmin
Step 2:创建RoleBinding
cluster-admin 是Kubernetes
集群内置的 ClusterRole 对象,我们可以使用kubectl get clusterrole
和kubectl get clusterrolebinding
查看系统内置的一些集群角色和集群角色绑定.
这里我们使用的 cluster-admin 这个集群角色是拥有最高权限的集群角色,所以一般需要谨慎使用该集群角色。
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: sa-clusterrolebinding-test
subjects:
- kind: ServiceAccount
name: admin-sa
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io