16.kubernetes的RBAC
role 分为clsterrole和role
我们从普通的role 开始理解起
[root@master ~]# kubectl create role pod-read --verb=get,list,watch --resource=pods --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: pod-read
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
[root@master ~]# kubectl create rolebinding song-pod-read --role=pod-read --user=song --dry-run -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: song-pod-read
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-read
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: song
[root@master ~]# kubectl create role pod-read --verb=get,list,watch --resource=pods
role.rbac.authorization.k8s.io/pod-read created
[root@master ~]# kubectl create rolebinding song-pod-read --role=pod-read --user=song
rolebinding.rbac.authorization.k8s.io/song-pod-read created
再次切换我们的song用户,发现他可以再default 命名空间中来查看pod了
[root@master ~]# kubectl config use-context song@kubernetes
Switched to context "song@kubernetes".
[root@master ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
debian-869994669d-226qq / Running 21d
filebeat-ds-msmst / Running 23d
filebeat-ds-qkpd9 / Running 23d
haproxy-598b6697db-d7h6w / Running 22d
myapp-deploy-7769f49474-c7w49 / Running 21d
myapp-deploy-7769f49474-r6xjr / Running 21d
myapp-deploy-7769f49474-rwhfc / Running 24d
myapp-deploy-7769f49474-vgshx / Running 24d
myapp-deploy-7769f49474-xcf9m / Running 24d
mysqlxx-784fdd7b55-x9czr-69b97d59d4-slspx / Running 21d
pod-demo / Running 19d
pod-sa / Running 37h
redis-85b846ff9c-h7j72 / Running 23d
redis-state- / CrashLoopBackOff 11d
redis-state- / CrashLoopBackOff 10d
tomcat-test-76789745c5-42c5d / Running 30d
tomcat-test-76789745c5-5wzl7 / Running
在全局还是没有权限。
[root@master ~]# kubectl get pod --all-namespaces
Error from server (Forbidden): pods is forbidden: User "song" cannot list resource "pods" in API group "" at the cluster scope
使用clusterrole给用户授予跨命名空间的大权限
[root@master ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
[root@master ~]# kubectl delete rolebindings.rbac.authorization.k8s.io song-pod-read
rolebinding.rbac.authorization.k8s.io "song-pod-read" deleted
[root@master ~]# kubectl create clusterrole all-pod-read --verb=get,list,watch --resource=pods
clusterrole.rbac.authorization.k8s.io/all-pod-read created
[root@master ~]# kubectl create clusterrolebinding song-all-pod-read --clusterrole=all-pod-read --user=song
clusterrolebinding.rbac.authorization.k8s.io/song-all-pod-read created
[root@master ~]# kubectl config use-context song@kubernetes
Switched to context "song@kubernetes".
[root@master ~]# kubectl get pod --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default debian-869994669d-226qq / Running 21d
default filebeat-ds-msmst / Running 23d
default filebeat-ds-qkpd9 / Running 23d
default haproxy-598b6697db-d7h6w / Running 22d
default myapp-deploy-7769f49474-c7w49 / Running 21d
default myapp-deploy-7769f49474-r6xjr / Running 21d
default myapp-deploy-7769f49474-rwhfc / Running 24d
default myapp-deploy-7769f49474-vgshx / Running 24d
default myapp-deploy-7769f49474-xcf9m / Running 24d
default mysqlxx-784fdd7b55-x9czr-69b97d59d4-slspx / Running 21d
default pod-demo / Running 19d
default pod-sa / Running 37h
default redis-85b846ff9c-h7j72 / Running 23d
default redis-state- / CrashLoopBackOff 11d
default redis-state- / CrashLoopBackOff 10d
default tomcat-test-76789745c5-42c5d / Running 30d
default tomcat-test-76789745c5-5wzl7 / Running 21d
ingress-nginx nginx-ingress-controller-797b884cbc-zcqsv / Running 20d
kube-system coredns-86c58d9df4-gs9x7 / Running 32d
kube-system coredns-86c58d9df4-srzb9 / Running 32d
kube-system etcd-master / Running 32d
kube-system kube-apiserver-master / Running 32d
kube-system kube-controller-manager-master / Running 32d
kube-system kube-flannel-ds-amd64-2fkc8 / Running 31d
kube-system kube-flannel-ds-amd64-cmjjg / Running 31d
kube-system kube-flannel-ds-amd64-t4b42 / Running 32d
kube-system kube-proxy-mdmp5 / Running 31d
kube-system kube-proxy-qjvhv / Running 31d
kube-system kube-proxy-rkh97 / Running 32d
kube-system kube-scheduler-master / Running 32d
kube-system kubernetes-dashboard-57df4db6b-fw58v / ImagePullBackOff 18d
一般 clusterRoleBinding 用来绑定clsterRole roleBinding 用来绑定 role
但是 roleBinding可以绑定 clusterRole 但是会造成 权限缩小到此命名空间
[root@master ~]# kubectl delete clusterrolebindings.rbac.authorization.k8s.io song-all-pod-read
clusterrolebinding.rbac.authorization.k8s.io "song-all-pod-read" deleted
[root@master ~]# kubectl create rolebinding song-all-pod-read --clusterrole=all-pod-read --user=song
rolebinding.rbac.authorization.k8s.io/song-all-pod-read created
[root@master ~]# kubectl config use-context song@kubernetes
Switched to context "song@kubernetes".
[root@master ~]# kubectl get pod --all-namespaces
Error from server (Forbidden): pods is forbidden: User "song" cannot list resource "pods" in API group "" at the cluster scope
集群最高权限查看
[root@master ~]# kubectl describe clusterrole admin
Name: admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
rolebindings.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch]
roles.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch]
configmaps [] [] [create delete deletecollection patch update get list watch]
endpoints [] [] [create delete deletecollection patch update get list watch]
persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch]
pods [] [] [create delete deletecollection patch update get list watch]
replicationcontrollers/scale [] [] [create delete deletecollection patch update get list watch]
replicationcontrollers [] [] [create delete deletecollection patch update get list watch]
services [] [] [create delete deletecollection patch update get list watch]
daemonsets.apps [] [] [create delete deletecollection patch update get list watch]
deployments.apps/scale [] [] [create delete deletecollection patch update get list watch]
deployments.apps [] [] [create delete deletecollection patch update get list watch]
replicasets.apps/scale [] [] [create delete deletecollection patch update get list watch]
replicasets.apps [] [] [create delete deletecollection patch update get list watch]
statefulsets.apps/scale [] [] [create delete deletecollection patch update get list watch]
statefulsets.apps [] [] [create delete deletecollection patch update get list watch]
horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection patch update get list watch]
cronjobs.batch [] [] [create delete deletecollection patch update get list watch]
jobs.batch [] [] [create delete deletecollection patch update get list watch]
daemonsets.extensions [] [] [create delete deletecollection patch update get list watch]
deployments.extensions/scale [] [] [create delete deletecollection patch update get list watch]
deployments.extensions [] [] [create delete deletecollection patch update get list watch]
ingresses.extensions [] [] [create delete deletecollection patch update get list watch]
networkpolicies.extensions [] [] [create delete deletecollection patch update get list watch]
replicasets.extensions/scale [] [] [create delete deletecollection patch update get list watch]
replicasets.extensions [] [] [create delete deletecollection patch update get list watch]
replicationcontrollers.extensions/scale [] [] [create delete deletecollection patch update get list watch]
networkpolicies.networking.k8s.io [] [] [create delete deletecollection patch update get list watch]
poddisruptionbudgets.policy [] [] [create delete deletecollection patch update get list watch]
deployments.apps/rollback [] [] [create delete deletecollection patch update]
deployments.extensions/rollback [] [] [create delete deletecollection patch update]
localsubjectaccessreviews.authorization.k8s.io [] [] [create]
pods/attach [] [] [get list watch create delete deletecollection patch update]
pods/exec [] [] [get list watch create delete deletecollection patch update]
pods/portforward [] [] [get list watch create delete deletecollection patch update]
pods/proxy [] [] [get list watch create delete deletecollection patch update]
secrets [] [] [get list watch create delete deletecollection patch update]
services/proxy [] [] [get list watch create delete deletecollection patch update]
bindings [] [] [get list watch]
events [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces/status [] [] [get list watch]
namespaces [] [] [get list watch]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
replicationcontrollers/status [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
controllerrevisions.apps [] [] [get list watch]
serviceaccounts [] [] [impersonate create delete deletecollection patch update get list watch]
[root@master ~]# kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
16.kubernetes的RBAC的更多相关文章
- 16. kubernetes RBAC
16. kubernetes RBAC授权插件: Node,ABAC,RBAC,webhock RBAC: role based access contrl 基于角色的授权. 角色:(role)许可( ...
- Kubernetes之RBAC
API Server的授权管理 API Server 内部通过用户认证后,然后进入授权流程.对合法用户进行授权并且随后在用户访问时进行鉴权,是权限管理的重要环节.API Server 目前支持一下几种 ...
- Kubernetes的RBAC是啥
RBAC: Role-Based Access Control,基于角色的权限控制,有以下三种角色 Role:角色,它其实是一组规则,定义了一组API对象的操作权限 Subject:被作用者,可以是人 ...
- Kubernetes 基于 RBAC 的授权(十六)
目录 一.RBAC介绍 1.1.角色和集群角色 1.2.RoleBinding 和 ClusterRoleBinding 1.3.资源 1.4.主体 二.命令行工具 2.1.kubectl creat ...
- K8S从入门到放弃系列-(16)Kubernetes集群Prometheus-operator监控部署
Prometheus Operator不同于Prometheus,Prometheus Operator是 CoreOS 开源的一套用于管理在 Kubernetes 集群上的 Prometheus 控 ...
- 10、kubernetes之RBAC认证
一.kubectl proxy # kubectl proxy --port=8080 # curl http://localhost:8080/api/v1/ # curl http://local ...
- kubernetes 1.6 RBAC访问控制
一.简介 之前,Kubernetes中的授权策略主要是ABAC(Attribute-Based Access Control).对于ABAC,Kubernetes在实现上是比较难用的,而且需要Mast ...
- 二进制安装部署kubernetes集群---超详细教程
本文收录在容器技术学习系列文章总目录 前言:本篇博客是博主踩过无数坑,反复查阅资料,一步步搭建完成后整理的个人心得,分享给大家~~~ 本文所需的安装包,都上传在我的网盘中,需要的可以打赏博主一杯咖啡钱 ...
- 手动部署 kubernetes HA 集群
前言 关于kubernetes HA集群部署的方式有很多种(这里的HA指的是master apiserver的高可用),比如通过keepalived vip漂移的方式.haproxy/nginx负载均 ...
随机推荐
- Win下Jenkins-2.138源码编译及填坑笔记
源码编译篇 1. 安装JDK1.8-181,操作系统添加JDK环境变量.Java -version验证一下. 注:Jenkins2.138版本,JDK必须jkd1.8.0-101以上,不支持Java ...
- 设计模式之解释器模式——Java语言描述
解释器模式提供了评估语言的语法或表达式的方式,它属于行为型模式.这种模式实现了一个表达式接口,该接口解释一个特定的上下文.这种模式被用在SQL解析.符号处理引擎等 介绍 意图 给定一个语言,定义它的文 ...
- LeetCode 178. 分数排名
1.题目描述 编写一个 SQL 查询来实现分数排名.如果两个分数相同,则两个分数排名(Rank)相同.请注意,平分后的下一个名次应该是下一个连续的整数值.换句话说,名次之间不应该有“间隔”. +--- ...
- SAP MM 根据采购订单反查采购申请?
SAP MM 根据采购订单反查采购申请? 前日微信上某同行发来一个message,说是想知道如何通过采购订单号查询到其前端的采购申请号. 笔者首先想到去检查采购订单相关的常用报表ME2L/ME2M/M ...
- Android 技能图谱学习路线
这里是在网上找到的一片Android学习路线,希望记录下来供以后学习 1Java 基础 Java Object类方法 HashMap原理,Hash冲突,并发集合,线程安全集合及实现原理 HashMap ...
- virtual table for class
虚函数表 说起虚函数,相信你我都可以自然而然的想到“多态”,因为多态的实现就依赖于虚函数的继承和重写(覆盖).那么,class又或者是object是如何来管理虚函数的呢?你我又会想到虚函数表. 虚函数 ...
- Docker入门笔记
Docker入门笔记 随笔记录初学Docker遇到的问题, 以免下次再犯. 本机系统Ubuntu18.04 安装 Docker有2个版本 Community Edition (CE) 社区版(免费) ...
- PJSUA2开发文档--第十章 媒体质量(MEDIA QUALITY)
10 媒体质量(Media Quality) 10.1 音频质量 如果遇到音频质量问题,可尝试以下步骤: 遵循指南:使用pjsystest测试声音设备. 识别声音问题并使用以下步骤进行故障排除:检查声 ...
- MySql 学习之路-Date函数
MySQL中重要的内建函数 函数 描述 NOW() 返回当前的日期和时间 NOW() 返回当前的日期和时间. 语法 NOW() -- 实例 -- 下面是 SELECT 语句: SELECT NOW() ...
- MySql 学习之路-高级2
目录: 1.约束 2.ALTER TABLE 3.VIEW 1.约束 说明:SQL约束用于规定表中的数据规则,如果存在违反约束的数据行为,行为会被约束终止,约束可以在建表是规定,也可以在建表后规定,通 ...