Kubernetes学习笔记（二十七）：Role Based Access Controls

集群层面请使用 ClusterRole 和 ClusterRoleBindings

developer-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
rules:
- apiGroups: [""]  ## 可以用 kubectl api-resources 查看 apiversion
  resources: ["pods"]                         
  verbs: ["list", "get", "create", "update", "delete"]
- apiGroups: [""]
  resources: ["ConfigMap"]
  verbs: ["create"]

创建角色：kubectl create -f developer-role.yaml

devuser-developer-binding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: devuser-developer-binding
subjects:
- kind: User
  name: dev-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io

创建角色绑定：kubectl create -f devuser-developer-binding.yaml

查询：

kubectl get roles
kubectl get rolebindings
kubectl describe role developer
kubectl describe rolebinding devuser-developer-binding

验证权限：

kubectl auth can-i create deployments
kubectl auth can-i delete nodes --as dev-user --namespace test

使用命令行创建、绑定、编辑角色：

kubectl create role developer --namespace=default --verb=list,create,delete --resource=pods
kubectl create rolebinding dev-user-binding --namespace=default --role=developer --user=dev-user
kubectl edit role developer -n blue

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: blue
rules:
- apiGroups:
  - apps
  resourceNames:
  - dark-blue-app
  resources:
  - pods
  verbs:
  - get
  - watch
  - create
  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - get
  - watch
  - create
  - delete

posted @ 2022-09-08 23:20 Bota5ky 阅读(38) 评论(0) 收藏举报

刷新页面返回顶部

Bota5ky

Bota5ky

献花予慈爱之人，赐死给可悲之物。

Kubernetes学习笔记（二十七）：Role Based Access Controls

公告