11-2 rbac

授权插件:node ,ABAC,RBAC,webhook
rbac: role-based ac:基于角色授权,k8s1.6起默认使用基于角色的访问控制
ABAC:基于属性的访问控制

角色: Role、ClusterRole
权限:读get、写write、更新update、列出list、监视watch
账户:用户账户、服务账户
角色绑定:Role、ClusterRole、RoleBinding、ClusterRoleBinding

namespace级别的授权:
role:
    operation
    objects
rolebinding:
    user account or service account
    role
集群级别的授权:clusterrole,clusterrolebinding
创建role:
#kuebctl create role pods-reader --verb=get,list,watch --resource=pods
#kuebctl create role pods-reader --verb=get,list,watch --resource=pods --dry-run
#kuebctl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata: 
    name: pods-reader
    namespace: default
rules:
- apiGroups:
  - ""
   resources:
   - pods
   verbs:
   - get
   - list
   - watch
# kubectl get role

给创建的账号(如myuser)绑定role:
#kubectl create rolebinding myuser-read-pods --role=pods-reader --user=myuser
#kubectl create rolebinding myuser-read-pods --role=pods-reader --user=myuser --try-run -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
    name: myuser-read-pods
    namespace: default
roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: role
    name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: myuser

# kubectl get rolebinding  

# kubectl config view  #查看当前已有的用户账号  
切换到某用户
# kubectl config user-context myuser@xxxx
# kubectl get pods 


给创建的账号(如myuser)绑定clusterrole:
# kubectl create clusterrolebinding myuser-read-all-pods --clusterrole=cluster-reader --user=myuser  --dry-run -oyaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
    name: myuser-read-all-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: myuser

# kubectl get clusterrole
# kubectl get clusterrolebinding

相关命令行工具
获取并查看Role/ClusterRole/RoleBinding/ClusterRoleBinding的信息:

kubectl get role -n kube-system
查看kube-system namespace下的所有role:
kubectl get role <role-name> -n kube-system -o yaml
查看某个role定义的资源权限:
kubectl get rolebinding -n kube-system
查看kube-system namespace下所有的rolebinding:
kubectl get rolebinding <rolebind-name> -n kube-system -o yaml
查看集群所有的clusterrole:

kubectl get clusterrole

查看kube-system namespace下的某个rolebinding详细信息(绑定的Role和subject):


kubectl get clusterrole <clusterrole-name> -o yaml
查看所有的clusterrolebinding:
kubectl get clusterrolebinding

查看某个clusterrole定义的资源权限详细信息:


kubectl get clusterrolebinding <clusterrolebinding-name> -o yaml

有两个kubectl命令可以用于在命名空间内或者整个集群内授予角色。

kubectl create rolebinding
在某一特定名字空间内授予Role或者ClusterRole。示例如下:
a) 在名为”acme”的名字空间中将admin ClusterRole授予用户”bob”:
kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=bob --namespace=acme
b) 在名为”acme”的名字空间中将view ClusterRole授予服务账户”myapp”:
kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=acme

kubectl create clusterrolebinding
在整个集群中授予ClusterRole,包括所有名字空间。示例如下:
a) 在整个集群范围内将cluster-admin ClusterRole授予用户”root”:
kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=root
b) 在整个集群范围内将system:node ClusterRole授予用户”kubelet”:
kubectl create clusterrolebinding kubelet-node-binding --clusterrole=system:node --user=kubelet
c) 在整个集群范围内将view ClusterRole授予名字空间”acme”内的服务账户”myapp”:
kubectl create clusterrolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp

 

posted @ 2022-11-14 23:52  Sky-wings  阅读(19)  评论(0编辑  收藏  举报