一個例子
我們想要達到的目的:限制該用戶只能查看集羣的資源,並且能夠查看監控圖(monitoring)
role文件
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: aideveloper-role
namespace: monitoring
rules:
- apiGroups:
- ""
resources:
- pods/proxy
- services/proxy
verbs:
- get
- list
- watch
roleBinding文件
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: aideveloper-roleBinding
namespace: monitoring
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: aideveloper-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: aideveloper
clusterRoleBinding文件
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: aideveloper-view-roleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: aideveloper
接下來需要看怎麼把monitoring這個只讀角色聚合到view中?
如果我們要實現讓一個用戶既能查看集羣所有資源,又能查看集羣的監控信息,那麼就需要給某個user做兩次roleBinding。那麼問題來了:如果我們需要的權限比較複雜,比如有幾十種,那麼要寫幾十個roleBinding嗎?肯定不會那麼蠢。從k8s1.9開始,就有一個rbac的聚合機制——aggregate。
聚合的方法是通過matchLabels(即rbac.example.com/aggregate-to-monitoring: "true"),來匹配所有metadata符合該label的ClusterRole。aggregationRule不需要配置 rules 段,它是由controller收集所有匹配的ClusterRole的rules後填充的。
比如:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: roleTest001
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-roletest001: "true"
rules: [] # Rules are automatically filled in by the controller manager.
創建新的符合matchLabel的clusterRole,controller會將新的rules添加到aggregationRule。如下會將roleTest002的rules添加到上面的ClusterRoleroleTest001,因此這裏的rule是不需要填寫的。
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: roleTest002
labels:
rbac.authorization.k8s.io/aggregate-to-roletest001: "true"
# These rules will be added to the "monitoring" role.
rules:
- apiGroups: [""]
Resources: ["services", "endpoints", "pods"]
verbs: ["get", "list", "watch"]
那麼我們現在就可以改良上一篇做的RBAC了——我們只需要把monitoring的權限內容聚合到view中,然後只需要給aideveloper這個user分配view這個role即可。就算後面有100個錯綜複雜的權限,我們也只需要加標籤即可,無需再過多的寫roleBinding。
首先,我們查看一下view這個role的屬性:
kubectl edit clusterrole view
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: "2021-01-06T10:11:00Z"
labels:
kubernetes.io/bootstrapping: rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit: "true"
managedFields:
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:aggregationRule:
.: {}
f:clusterRoleSelectors: {}
f:metadata:
f:annotations:
.: {}
f:rbac.authorization.kubernetes.io/autoupdate: {}
f:labels:
.: {}
f:kubernetes.io/bootstrapping: {}
f:rbac.authorization.k8s.io/aggregate-to-edit: {}
manager: kube-apiserver
operation: Update
time: "2021-01-06T10:11:00Z"
- apiVersion: rbac.authorization.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:rules: {}
manager: kube-controller-manager
operation: Update
time: "2021-01-07T05:56:44Z"
name: view
我們驚喜的發現,這個view天生可聚合——包含aggregationRule。這裏我們看到 rbac.authorization.k8s.io/aggregate-to-view: "true" 這個aggregationRule,因此我們把之前做好的monitoring的role裏面,加上 rbac.authorization.k8s.io/aggregate-to-view: "true" 標籤即可。
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: aideveloper-role
namespace: monitoring
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- ""
resources:
- pods/proxy
- services/proxy
verbs:
- get
- list
- watch