|NO.Z.00222|——————————|CloudNative|——|KuberNetes&细粒度权限控制.V06|——|RBAC.v02|配置参数说明|

一、配置文件说明

### --- Role example：角色权限示例
~~~     注：就是在default命名空间下下创建一个role，
~~~     这个role是对pods具有get，watch和list权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default                // default的namepspace下
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]               // 管理的资源是pod
  verbs: ["get", "watch", "list"]   // 它的权限是get，watch，list

二、ClusterRole example：整个集群的权限示例

### --- 创建了一个secret-reader的ClusterRole，
~~~     它的权限是对secrets具有get、watch、list的权限
~~~     针对于所有的namespace下的权限

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader               // 创建了一个secret-reader的一个ClusterRole
rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

三、RoleBinding examples

### --- 案例一：
~~~     注：创建了一个pod-reader
~~~     之前创建了一个pod-reader的一个role，它的权限是对pod的查看权限，
~~~     然后使用RoleBinding把它到一个Jane的user用户上

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default                    // RoleBinding是需要指定namespace的，若是ClusterRoleBinding是不需要指定namespace
subjects:
# You can specify more than one "subject"
- kind: User
  name: jane # "name" is case sensitive // 把pod-reader的这个权限绑定到Jane的这个user上
  apiGroup: rbac.authorization.k8s.io
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

### --- 案例二：
~~~     注：之前创建了一个ClusterRole，
~~~     把secret-reader的ClusterRole绑定到了development的namespace，绑定的用户是Dave这个用户

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "dave" to read secrets in the "development" namespace.
# You need to already have a ClusterRole named "secret-reader".
kind: RoleBinding
metadata:
  name: read-secrets
  #
  # The namespace of the RoleBinding determines where the permissions are granted.
  # This only grants permissions within the "development" namespace.
  namespace: development
subjects:
- kind: User
  name: dave # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

四、ClusterRoleBinding example

~~~     # 注：之前创建的secret-reader的读权限，创建了一个ClusterRoleBinding，
~~~     ClusterRoleBinding是作用于整个集群的，不用谢namespace

apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:                           // subjects定义了绑定的对象是谁，是一个切片形式的，可以写多个。
- kind: Group                       // 绑定到这个group下manager
  name: manager # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader               // 所以说这个group下的所有的用户具有secret-reader的权限
  apiGroup: rbac.authorization.k8s.io

五、Referring to resources:引用资源

### --- 案例一：为日志查看设置权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role                          // 创建了一个role
metadata:
  namespace: default
  name: pod-and-pod-logs-reader     // role的名字
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]   // 绑定到它的下级资源；这个role的pods，pods下的log具有了get和list权限
  verbs: ["get", "list"]

### --- 案例二：设置configmap的权限
~~~     注：这个role的名字是configmap-updater对my-configmap具有update和get的权限
~~~     这个configmap指定了my-configmap这个，所以只对整一个configmap具有这个权限

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: configmap-updater           // role的名字
rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing ConfigMap
  # objects is "configmaps"
  resources: ["configmaps"]
  resourceNames: ["my-configmap"]   // 指定某个configmap指定的资源进行update或get的权限
  verbs: ["update", "get"]

~~~     # 在配置权限的时候，resources不知道写什么的时候，可以查看view下的resources，
~~~     它基本包含了所有的resources

[root@k8s-master01 ~]# kubectl get clusterrole view -oyaml
  resources:
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - ingresses
  - ingresses/status
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicasets/status
  - replicationcontrollers/scale  

六、Aggregated ClusterRoles：聚合的clusterroles

### --- 案例一：
~~~     注：在创建这个ClusterRole的时候，可以写一个label；可以可以过滤出来这个ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
  labels:
     self-cluster-role: test        // 这个label的是self-cluster-adminrole；values是test
rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

### --- 案例二：
~~~     # 注：把这个matchLabels改成之前创建的ClusterRole，这个monitoring就有了方案一ClusterRole的所有的权限
~~~     把所有的ClusterRole集合起来，这样就可以直接使用monitoring去给一个用户去赋予很多的权限。
~~~     就可以直接写一个ClusterRole或者ClusterRoleBinding就有很多权限

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: monitoring
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
     self-cluster-role: test 
rules: [] # The control plane automatically fills in the rules

七、以下ClusterRoles让“ admin”和“ edit”默认角色管理名为CronTab的自定义资源

~~~     # 以下ClusterRoles让“ admin”和“ edit”默认角色管理名为CronTab的自定义资源，

~~~     而“ view”角色只能对CronTab资源执行读取操作。
~~~     您可以假定CronTab对象是"crontabs"在URL中命名的，如API服务器所看到的那样。
~~~     针对crontabs 进行授权的，

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aggregate-cron-tabs-edit
  labels:
    # Add these permissions to the "admin" and "edit" default roles.
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["stable.example.com"]
  resources: ["crontabs"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: aggregate-cron-tabs-view
  labels:
    # Add these permissions to the "view" default role.
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:      
- apiGroups: ["stable.example.com"]         // 这个apigroup一般是不写的。
  resources: ["crontabs"]
  verbs: ["get", "list", "watch"]

---

 

 

 

 

 

 

 

 

 

---

Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart

                                                                                                                                                   ——W.S.Landor

---