RBAC企业实战:不同用户不同权限
需求:
用户dev可以查看default、kube-system下Pod的日志
用户test可以在default下的Pod中执行命令,并且可以删除Pod
首先创建clusterrole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-readonly
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
-----------删除pod-----------
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-delete
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- delete
---------执行pod-------------
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-exec
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
----------查看日志------------
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-log
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
verbs:
- get
- list
- watch
2、创建用户管理的命名空间
kubectl create ns kube-users
3、绑定全局命名空间查看权限
kubectl create clusterrolebinding namespace-readonly \
--clusterrole=namespace-readonly --serviceaccount=system:serviceaccounts:kube-users
#命令不能创建,用yaml文件创建
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: namespace-readonly-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: namespace-readonly
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:kube-users
#创建用户
kubectl create sa dev -n kube-users
kubectl create sa test -n kube-users
#绑定权限
kubectl create rolebinding dev-pod-log \
--clusterrole=pod-log --serviceaccount=kube-users:dev --namespace=kube-system
kubectl create rolebinding dev-pod-log \
--clusterrole=pod-log --serviceaccount=kube-users:dev --namespace=default
kubectl create rolebinding test-pod-exec \
--clusterrole=pod-exec --serviceaccount=kube-users:test --namespace=default
kubectl create rolebinding test-pod-delete \
--clusterrole=pod-delete --serviceaccount=kube-users:test --namespace=default
