11-2 rbac
授权插件:node ,ABAC,RBAC,webhook rbac: role-based ac:基于角色授权,k8s1.6起默认使用基于角色的访问控制 ABAC:基于属性的访问控制 角色: Role、ClusterRole 权限:读get、写write、更新update、列出list、监视watch 账户:用户账户、服务账户 角色绑定:Role、ClusterRole、RoleBinding、ClusterRoleBinding namespace级别的授权: role: operation objects rolebinding: user account or service account role 集群级别的授权:clusterrole,clusterrolebinding 创建role: #kuebctl create role pods-reader --verb=get,list,watch --resource=pods #kuebctl create role pods-reader --verb=get,list,watch --resource=pods --dry-run #kuebctl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pods-reader namespace: default rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch # kubectl get role 给创建的账号(如myuser)绑定role: #kubectl create rolebinding myuser-read-pods --role=pods-reader --user=myuser #kubectl create rolebinding myuser-read-pods --role=pods-reader --user=myuser --try-run -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: myuser-read-pods namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: role name: pods-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: myuser # kubectl get rolebinding # kubectl config view #查看当前已有的用户账号 切换到某用户 # kubectl config user-context myuser@xxxx # kubectl get pods 给创建的账号(如myuser)绑定clusterrole: # kubectl create clusterrolebinding myuser-read-all-pods --clusterrole=cluster-reader --user=myuser --dry-run -oyaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: myuser-read-all-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: myuser # kubectl get clusterrole # kubectl get clusterrolebinding 相关命令行工具 获取并查看Role/ClusterRole/RoleBinding/ClusterRoleBinding的信息: kubectl get role -n kube-system 查看kube-system namespace下的所有role: kubectl get role <role-name> -n kube-system -o yaml 查看某个role定义的资源权限: kubectl get rolebinding -n kube-system 查看kube-system namespace下所有的rolebinding: kubectl get rolebinding <rolebind-name> -n kube-system -o yaml 查看集群所有的clusterrole: kubectl get clusterrole 查看kube-system namespace下的某个rolebinding详细信息(绑定的Role和subject): kubectl get clusterrole <clusterrole-name> -o yaml 查看所有的clusterrolebinding: kubectl get clusterrolebinding 查看某个clusterrole定义的资源权限详细信息: kubectl get clusterrolebinding <clusterrolebinding-name> -o yaml 有两个kubectl命令可以用于在命名空间内或者整个集群内授予角色。 kubectl create rolebinding 在某一特定名字空间内授予Role或者ClusterRole。示例如下: a) 在名为”acme”的名字空间中将admin ClusterRole授予用户”bob”: kubectl create rolebinding bob-admin-binding --clusterrole=admin --user=bob --namespace=acme b) 在名为”acme”的名字空间中将view ClusterRole授予服务账户”myapp”: kubectl create rolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp --namespace=acme kubectl create clusterrolebinding 在整个集群中授予ClusterRole,包括所有名字空间。示例如下: a) 在整个集群范围内将cluster-admin ClusterRole授予用户”root”: kubectl create clusterrolebinding root-cluster-admin-binding --clusterrole=cluster-admin --user=root b) 在整个集群范围内将system:node ClusterRole授予用户”kubelet”: kubectl create clusterrolebinding kubelet-node-binding --clusterrole=system:node --user=kubelet c) 在整个集群范围内将view ClusterRole授予名字空间”acme”内的服务账户”myapp”: kubectl create clusterrolebinding myapp-view-binding --clusterrole=view --serviceaccount=acme:myapp