一、User --> Rolebinding --> Role
一個Role對象只能用於授予對某一單一命名空間中資源的訪問權限
1.創建命名空間
# cat namespace-dev.yaml
apiVersion: v1
kind: Namespace
metadata:
name: development
# kubectl get ns
development Active 56s
2.在該命名空間是創建一個實例
kubectl create -f nginx-deployment.yaml -n development
kubectl get pod -n development
NAME READY STATUS RESTARTS AGE
nginx-deployment-6dd86d77d-pqndm 1/1 Running 0 20s
nginx-deployment-6dd86d77d-q268r 1/1 Running 0 20s
nginx-deployment-6dd86d77d-zn4f4 1/1 Running 0 20s
3.使用當前系統的ca證書認證一個私有證書
# cd /etc/kubernetes/pki/
# openssl genrsa -out dev.key 2048
# openssl req -new -key dev.key -out dev.csr -subj "/CN=dev"
# openssl x509 -req -in dev.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out dev.crt -days 3650
# openssl x509 -noout -text -in ./dev.crt
4.使用生成的證書創建一個用戶
# kubectl config set-credentials dev --client-certificate=./dev.crt --client-key=./dev.key --embed-certs=true
User "dev" set.
5.定義一個context
# kubectl config set-context dev@kubernetes --cluster=kubernetes --user=dev --namespace=development
Context "dev@kubernetes" created.
6.role的創建
一個Role對象只能用於授予對某一單一命名空間中資源的訪問權限,此處定義了role訪問空間爲development
kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml
# cat role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pods-reader
namespace: development
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
# kubectl apply -f role-demo.yaml
7.創建rolebinding綁定角色
kubectl create rolebinding dev-read-pods --role=pods-reader --user=dev --dry-run -o yaml > rolebinding-demo.yaml
# cat rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: dev-read-pods
namespace: development
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: dev
# kubectl apply -f rolebinding-demo.yaml
8.切換context
# kubectl config use-context dev@kubernetes
Switched to context "dev@kubernetes".
# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-deployment-6dd86d77d-pqndm 1/1 Running 0 22m
nginx-deployment-6dd86d77d-q268r 1/1 Running 0 22m
nginx-deployment-6dd86d77d-zn4f4 1/1 Running 0 22m
# kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" in the namespace "default"
# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
二、User --> Clusterrolebinding --> Clusterrole
1.創建clusterrole
# kubectl create clusterrole cluster-read --verb=get,list,watch --resource=pods,node --dry-run -o yaml > clusterrole-demo.yaml
# cat clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cluster-read
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- watch
2.clusterrolebinding定義
# kubectl create clusterrolebinding dev-read-all-pods --clusterrole=cluster-read --user=dev --dry-run -o yaml > clusterrolebinding-demo.yaml
# cat clusterrolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: dev-read-all-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: dev
3.刪除前面的rolebinding的綁定
# kubectl delete rolebinding -n development dev-read-pods
rolebinding.rbac.authorization.k8s.io "dev-read-pods" deleted
# kubeclt create -f clusterrole-demo.yaml -f clusterrolebinding-demo.yaml
clusterrole.rbac.authorization.k8s.io/cluster-read created
clusterrolebinding.rbac.authorization.k8s.io/dev-read-all-pods created
4.定義context
# kubectl config set-context devcluster@kubernetes --cluster=kubernetes --user=dev
Context "devcluster@kubernetes" created.
5.切換context測試
# kubectl config use-context devcluster@kubernetes
Switched to context "devcluster@kubernetes".
# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-5694ccb578-9m8j8 1/1 Running 0 20d
# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-1 Ready master 49d v1.14.2
k8s-2 Ready <none> 48d v1.14.2
k8s-3 Ready <none> 48d v1.14.2
k8s-4 Ready <none> 15d v1.14.2
k8s-5 Ready <none> 15d v1.14.2
# kubectl get svc
Error from server (Forbidden): services is forbidden: User "dev" cannot list resource "services" in API group "" in the namespace "default"
# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://20.0.20.101:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: development
user: dev
name: dev@kubernetes
- context:
cluster: kubernetes
user: dev
name: devcluster@kubernetes
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: devcluster@kubernetes
kind: Config
preferences: {}
users:
- name: dev
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes"
三、User --> Rolebinding --> Clusterrole
1.刪除前面綁定的cluster
# kubectl delete clusterrolebinding dev-read-all-pods
clusterrolebinding.rbac.authorization.k8s.io "dev-read-all-pods" deleted
2.定義clusterrole
# kubectl create clusterrole clusterrole-role --verb=get,list,watch --resource=pods,node --dry-run -o yaml > clusterrole-rolebinding.yaml
# vim clusterrole-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: clusterrole-role
rules:
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- get
- list
- watch
3.定義rolebinding
# kubectl create rolebinding dev-read-pn --clusterrole=clusterrole-role --user=dev --dry-run -o yaml > rolebinding-clusterrole-demo.yaml
# vim rolebinding-clusterrole-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: dev-read-pod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: clusterrole-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: dev
# kubectl apply -f clusterrole-rolebinding.yaml -f rolebinding-clusterrole-demo.yaml
clusterrole.rbac.authorization.k8s.io/clusterrole-role created
rolebinding.rbac.authorization.k8s.io/dev-read-pn created
4.切換context
# kubectl config use-context devcluster@kubernetes
Switched to context "devcluster@kubernetes".
# kubectl get pod
No resources found.
# kubectl get pod -A
Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" at the cluster scope
# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
glusterfs-dynamic-db9abc87-9e0a-11e9-a2f3-00505694834d ClusterIP 10.103.125.206 <none> 1/TCP 13d
集羣級別的資源nodes、persistentvolumes等資源,以及非資源型的URL不屬於名稱空間級別,故此不能使用rolebinding來綁定授權,所有非名稱空間級別的資源都無法通過rolebinding綁定至用戶並賦予用戶相關的權限,這寫都是屬於clusterrolebinding 的功能