RBAC-- 权限练习实战
题目练习
1、创建一个名为deployment-clusterrole
a) 该clusterrole 只允许创建 deployment、daemonset、statefulset 的 create 操作
2、在名字为app-team1 的namespace 下创建一个名为cicd-token 的serviceAccount,并且将上一步创建的clusterrole 的权限绑定到该serviceAccount
具体操作:
1、首先创建clusterrole 并且拥有create 的deployment、daemonset、statefulset 的权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["deployment","statefulset","daemonset"]
verbs: ["create"]
2、创建app-team1 的命名空间
# kubectl create ns app-team1
创建serviceaccount 名字为cicd-token(serviceaccount 具有命名空间隔离性)
# kubectl create sa cicd-token -n app-team1
3、要绑定权限到指定命名空间下要使用rolebinding
#kubectl create rolebinding deployment-rolebinding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token --namespace=app-team1
4、登陆dashboard 去查看权限
怎么查看serviceaccount 的token
a)先查看sa
#kubectl get sa -n app-team1
b)在查看 sa 对应的secret
#kubectl get secret -n app-team1 cicd-token-token-g2pdq
#kubectl describe secret -n app-team1 cicd-token-token-g2pdq
##总结
1、创建clusterrole
2、创建sa
3、创建clusterrolebinding或者rolebinding 去绑定clusterr和sa