RBAC初试

配置RBAC的权限，是pod有资源的使用权限

1、配置rbac：

kubectl create sa  test
vim rbac_test.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: role-example
  namespace: default
  
rules:
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - pods
  - endpoints
  - persistentvolumes
  - persistentvolumeclaims
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: RoleBinding-example

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: role-example
subjects:
- kind: ServiceAccount
  name: test
  namespace: default

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: role-example-1
rules:
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:  
  name: RoleBinding-example-1  
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: role-example-1
subjects:
- kind: ServiceAccount
  name: test
  namespace: default
kubectl apply -f rbac_test.yaml

2、deploy配置sa

kind: Deployment
apiVersion: apps/v1
metadata:
  name: rbactest
  namespace: default
  labels:
    appgroup: ''
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mxdtest
      version: v1
  template:
    metadata:
      labels:
        app: rbactest
        version: v1
    spec:
      volumes:
        - name: vol-164266755394681842
          emptyDir:
            sizeLimit: 2G
      containers:
        - name: container-1
          image: 'swr.cn-north-4.myhuaweicloud.com/rbac/dx-kubectl-proxy:latest'
          resources:
            limits:
              cpu: 250m
              memory: 512Mi
            requests:
              cpu: 250m
              memory: 512Mi
          volumeMounts:
            - name: vol-164266755394681842
              mountPath: /test
          imagePullPolicy: IfNotPresent
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      serviceAccountName: test
      serviceAccount: test
      securityContext: {}
      imagePullSecrets:
        - name: default-secret
      schedulerName: default-scheduler
      dnsConfig:
        options:
          - name: timeout
            value: ''
          - name: ndots
            value: '5'
          - name: single-request-reopen
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

3、验证