`RBAC`的配置顺序:
✔ 首先,定义一个服务账号`service account`,也就是定义角色;
✔ 接着,定义一个`role`策略,比如:允许查看`pod`,禁止`describe`pod等;
✔ 最后,将定义好的角色和`role`策略进行绑定(`binding`)即可。
`RBAC`中配置生效的经验之谈:
✔ `role`+`rolebinding`=作用于对应名称空间的策略;
✔ `clusterrole`+`clusterrolebinding`=作用域集群级别的策略;
✔ `clusterrole`+`rolebinding`=作用于对应名称空间的策略,作用同第一条。其好处是更灵活更简洁。
kind: Role #名称空间权限
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default #只能读取default名称空间下的对应规则
name: res-reader
rules:
- apiGroups: [''] # '' 表示核心群组:core API group
resources: ['pods', 'pods/log', 'services']
verbs: ['get', 'list', 'watch']
kind: RoleBinding #名称空间级别权限绑定;ClusterRoleBinding为集群级别的权限绑定
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ilinux-res-reader #增加可读性,命名规则:<用户>-<权限>
namespace: default
subjects:
- kind: User
name: ilinux
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: res-reader
apiGroup: rbac.authorization.k8s.io
[root@centos-1 RBAC]# kubectl get pod --kubeconfig=/tmp/ilinux.kubeconfig
NAME READY STATUS RESTARTS AGEngx-new-cb79d555-hfc7h 1/1 Running 0 10d
[root@centos-1 RBAC]# kubectl get service --kubeconfig=/tmp/ilinux.kubeconfig
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 11d
[root@centos-1 RBAC]# kubectl get service --kubeconfig=/tmp/ilinux.kubeconfig -n ingress-nginx
Error from server (Forbidden): services is forbidden: User 'ilinux' cannot list resource 'services' in API group '' in the namespace 'ingress-nginx'
kind: ClusterRole #集群范围权限
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-res-reader
rules:
- apiGroups: [''] # '' 表示核心群组:core API group
resources: ['pods', 'pods/log', 'services']
verbs: ['get', 'list', 'watch']
kind: ClusterRoleBinding #ClusterRoleBinding为集群级别的权限绑定
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-ilinux-res-reader #增加可读性,命名规则:<用户>-<权限>
subjects:
- kind: User
name: ilinux
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-res-reader
apiGroup: rbac.authorization.k8s.io
[root@centos-1 RBAC]# kubectl get clusterrole
[root@centos-1 RBAC]# kubectl get clusterrolebinding
[root@centos-1 RBAC]# kubectl get service --kubeconfig=/tmp/ilinux.kubeconfig -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-ingress-controller NodePort 10.99.160.254 <none> 80:30080/TCP,443:30443/TCP 26h [root@centos-1 RBAC]# kubectl get service --kubeconfig=/tmp/ilinux.kubeconfig
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 11d
kind: RoleBinding #名称空间级别权限绑定;ClusterRoleBinding为集群级别的权限绑定
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-default-ilinux-res-reader #增加可读性,命名规则:<用户>-<权限>
namespace: default
subjects:
- kind: User
name: ilinux
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-res-reader
apiGroup: rbac.authorization.k8s.io
[root@centos-1 RBAC]# kubectl get service --kubeconfig=/tmp/ilinux.kubeconfig
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 11d
[root@centos-1 RBAC]# kubectl get service --kubeconfig=/tmp/ilinux.kubeconfig -n ingress-nginx
Error from server (Forbidden): services is forbidden: User 'ilinux' cannot list resource 'services' in API group '' in the namespace 'ingress-nginx'
联系客服