琼杰笔记一、简述
RBAC即Role-Base Access Control的简称,是目前kubernetes上常用的权限授权方式。此种授权方式主要通过用户user、角色role/集群角色clusterrole和许可Permission三种对象关联进行工作。可以对访问api请求给予不同的权限,如get、list、create、update、patch、watch、proxy、redirect、delete、deletecollection等。
二、授权演示实例
1.创建role
role官方解释和实例:
[root@master1 ~]# kubectl create role --help
Create a role with single rule.
Examples:
# Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
# Create a Role named "pod-reader" with ResourceName specified
kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod
--resource-name=anotherpod
# Create a Role named "foo" with API Group specified
kubectl create role foo --verb=get,list,watch --resource=rs.extensions
# Create a Role named "foo" with SubResource specified
kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or
map key is missing in the template. Only applies to golang and jsonpath output formats.
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the
object that would be sent, without sending it. If server strategy, submit server-side request
without persisting the resource.
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-file.
--resource=[]: Resource that the rule applies to
--resource-name=[]: Resource in the white list that the rule applies to, repeat this flag for
multiple items
--save-config=false: If true, the configuration of current object will be saved in its
annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to
perform kubectl apply on this object in the future.
--template='': Template string or path to template file to use when -o=go-template,
-o=go-template-file. The template format is golang templates
[http://golang.org/pkg/text/template/#pkg-overview].
--validate=true: If true, use a schema to validate the input before sending it
--verb=[]: Verb that applies to the resources contained in the rule
Usage:
kubectl create role NAME --verb=verb --resource=resource.group/subresource
[--resource-name=resourcename] [--dry-run=server|client|none] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
实例:
[root@master1 ~]# kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml W0529 10:01:07.330069 5715 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: pods-reader rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
2.创建rolebinding
官方解释和实例
[root@master1 ~]# kubectl create rolebinding --help
Create a RoleBinding for a particular Role or ClusterRole.
Examples:
# Create a RoleBinding for user1, user2, and group1 using the admin ClusterRole
kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or
map key is missing in the template. Only applies to golang and jsonpath output formats.
--clusterrole='': ClusterRole this RoleBinding should reference
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the
object that would be sent, without sending it. If server strategy, submit server-side request
without persisting the resource.
--group=[]: Groups to bind to the role
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-file.
--role='': Role this RoleBinding should reference
--save-config=false: If true, the configuration of current object will be saved in its
annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to
perform kubectl apply on this object in the future.
--serviceaccount=[]: Service accounts to bind to the role, in the format <namespace>:<name>
--template='': Template string or path to template file to use when -o=go-template,
-o=go-template-file. The template format is golang templates
[http://golang.org/pkg/text/template/#pkg-overview].
--validate=true: If true, use a schema to validate the input before sending it
Usage:
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username]
[--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
[options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
实例
[root@master1 ~]# kubectl create rolebinding jakeli-pods-reader --role=pods-reader --user=jakeli rolebinding.rbac.authorization.k8s.io/jakeli-pods-reader created [root@master1 ~]# kubectl get rolebinding NAME ROLE AGE jakeli-pods-reader Role/pods-reader 16s [root@master1 ~]# kubectl get role NAME CREATED AT pods-reader 2020-05-29T02:02:57Z [root@master1 ~]# kubectl describe rolebinding jakeli-pods-reader Name: jakeli-pods-reader Labels: <none> Annotations: <none> Role: Kind: Role Name: pods-reader Subjects: Kind Name Namespace ---- ---- --------- User jakeli
yaml配置格式:
[root@master1 ~]# kubectl create rolebinding jakeli-pods-reader --role=pods-reader --user=jakeli --dry-run -o yaml W0529 10:12:26.821438 9868 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: jakeli-pods-reader roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pods-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: jakeli
此时切换到jakeli用户后,就有了get,list,watch的权限。
3.创建clusterrole
clusterrole类似于role
实例
[root@master1 ~]# kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods -o yaml --dry-run W0529 10:17:32.257743 11668 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: cluster-reader rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
创建并查看clusterrole
[root@master1 ~]# kubectl describe clusterrole cluster-reader Name: cluster-reader Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- pods [] [] [get list watch]
4.创建clusterrolebinding
创建格式类似于rolebindbing,实例:
[root@master1 ~]# kubectl create clusterrolebinding jakeli-read-all-pods --clusterrole=cluster-reader --user=jakeli --dry-run -o yaml W0529 10:32:54.329656 17238 helpers.go:535] --dry-run is deprecated and can be replaced with --dry-run=client. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: jakeli-read-all-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: jakeli
查看clusterrolebinding,此时jakeli用户就被授权了相应的执行权限。
[root@master1 ~]# kubectl describe clusterrolebinding jakeli-read-all-pods Name: jakeli-read-all-pods Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: cluster-reader Subjects: Kind Name Namespace ---- ---- --------- User jakeli
5.创建rolebinding绑定clusterrole
您暂时无权查看此隐藏内容!
内容查看价格4.99元立即支付
注意:本站少数资源收集于网络,如涉及版权等问题请及时与站长联系,我们会在第一时间内与您协商解决。如非特殊说明,本站所有资源解压密码均为:zhangqiongjie.com。
作者:1923002089
评论前必须登录!
注册