文章目錄
- 權限精細化分配---通過sa和自建角色實現權限精細化分配
- 1.新建sa
- 2.建立一個角色,并將該角色綁定到sa上
- 3.授權namespace的權限,設置ClusterRole和ClusterRolebinding
權限精細化分配—通過sa和自建角色實現權限精細化分配
1.新建sa
kubectl create sa lishanbin -n planck
2.建立一個角色,并將該角色綁定到sa上
角色role-sa 具有的權限僅僅是namespace planck內的所有pod的查看權限,以及deployment的查看權限,無權刪除修改這些資源
[root@k8s-master ~]# cat sa-role-binding.yaml
#k8s 1.22.10
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: role-sanamespace: planck #指定 Namespace
rules: #權限分配- apiGroups: [""]resources: ["pods"]verbs: ["get", "watch", "list"]- apiGroups: [""]resources: ["pods/log"]verbs: ["get","list","watch"]- apiGroups: [""]resources: ["pods/attach"]verbs: ["get","list","watch"]- apiGroups: [""]resources: ["pods/exec"]verbs: ["get","list","watch"]- apiGroups: [""]resources: ["pods/status"]verbs: ["get","list","watch"]- apiGroups: [""]resources: ["podtemplates"]verbs: ["get","list","watch"]- apiGroups: ["extensions", "apps"]resources: ["deployments","statefulsets"]verbs: ["get", "list", "watch"]- apiGroups: [""]resources: ["configmaps"]verbs: ["get", "list", "watch"]- apiGroups: [""]resources: ["endpoints"]verbs: ["get", "list", "watch"]- apiGroups: [""]resources: ["events"]verbs: ["get", "list", "watch"]- apiGroups: [""]resources: ["replicationcontrollers"]verbs: ["get", "list", "watch"]- apiGroups: [""]resources: ["replicationcontrollers/status"]verbs: ["get"]- apiGroups: [""]resources: ["services"]verbs: ["get", "list", "watch"]- apiGroups: [""]resources: ["services/status"]verbs: ["get", "list", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: rbac-role-bindingnamespace: planck #指定 Namespace
subjects:- kind: ServiceAccountname: lishanbin #指定 ServiceAccountnamespace: planck #指定 Namespace
roleRef:kind: Rolename: role-saapiGroup: rbac.authorization.k8s.io
3.授權namespace的權限,設置ClusterRole和ClusterRolebinding
為什么要授權是因為sa內的secrets里的token只有在dashboard內使用,而上面的角色和角色綁定都是dev這個namespace內的,這樣綁定后,拿到token才可以登錄到dashboard的首頁,否則都無法選擇namespace。
cat rbac-cluster-role-binding.yaml
#k8s 1.22.10
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: rbac-namespace-role
rules:- apiGroups: [""] #配置權限,配置其只用于 namespace 的 list 權限resources: ["namespaces"]verbs: ["list"]- apiGroups: [""]resources: ["namespaces/status"]verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: rbac-default-role-binding
subjects:- kind: ServiceAccountname: lishanbin #配置為自定義的 ServiceAccountnamespace: planck #指定為服務賬戶所在的 Namespace
roleRef:kind: ClusterRolename: rbac-namespace-role #配置上面的 RoleapiGroup: rbac.authorization.k8s.iokubectl -n planck describe secret $(kubectl get secret -n planck | grep lishanbin | awk '{print $1}')
kubernetes的dashboard提供Token和kubeconfig兩種認證方式,因此上面拿到token以后可以通過token進行訪問planck這個ns下的資源了。
)
)
)
