镇楼图
简单说下创建流程
第一步:role准备,就是一些权限预设的权限
第二步:创建serviceaccount(简写为sa),同时会生成一个sa名字开头的secret
第三步:将之前预设的role binding到sa。
权限准备---->用户准备------>权限和用户绑定
实操
准备存放用户名的命名空间
kubectl create ns kube-users
# 创建命名空间中的所有service account 允许查看namespace权限 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: ratel-namespace-readonly rules: - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch --- #将上面定义的权限绑定到kube-users命名空间用户组 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ratel-namespace-readonly roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-namespace-readonly subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccount:kube-users #将上面的内容保存下来为namespacerelo.yaml kubectl apply -f namespacerelo.yaml
创建查看namespace资源的权限
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-resource-readonly rules: - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - deployments - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-pod-exec rules: - apiGroups: - "" resources: - pods - pods/log verbs: - get - list - apiGroups: - "" resources: - pods/exec verbs: - create
创建pod删除权限
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-pod-delete rules: - apiGroups: - "" resources: - pods verbs: - get - list - delete
kubectl create serviceaccount test -n kube-users #验证 [root@master02 RBAC]# kubectl get sa -n kube-users NAME SECRETS AGE default 1 32h test 1 23s #查看同时创建secret [root@master02 RBAC]# kubectl get secrets -n kube-users NAME TYPE DATA AGE default-token-484gz kubernetes.io/service-account-token 3 32h test-token-2zx6t kubernetes.io/service-account-token 3 74s #查看test的token [root@master02 RBAC]# kubectl describe secrets -n kube-users test-token-2zx6t Name: test-token-2zx6t Namespace: kube-users Labels: <none> Annotations: kubernetes.io/service-account.name: test kubernetes.io/service-account.uid: 4b824424-c7f8-4d06-af04-83703f3b35b8 Type: kubernetes.io/service-account-token Data ==== token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlkwbmFPNXllaFZUVm15d0l5Zi1YTjBhLUVfVEFzdmJxcnZDU1FpT1l5eGcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXVzZXJzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRlc3R0LXRva2VuLTJ6eDZ0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InRlc3R0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNGI4MjQ0MjQtYzdmOC00ZDA2LWFmMDQtODM3MDNmM2IzNWI4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtdXNlcnM6dGVzdHQifQ.1ObiHFdqn0YNqtFsnmS5jSRIztdu2lep0nF_6F3Z417Ed5LFU-H35tWuhRYbUTdiTxv6r9W8MgFsDM6s9zGk4O8adZgWOG-AuGP2krbsjNTW0_MRvzy4SkIdCxzsngjyujP51iHKJ5LtwN4hZ1-WU2orf8BHavRYZZdIzB3GbTXYkNt2ZgHgZMMRvxn3M6HjTnsgS6skOKpU7Z4u0RyEFAOdQP5W85Gqm3aMXqpr9Vi8MO0CLX06hOhfkP-8F0uF2br8vxo-5Q5k3SCfhCgsYLHZQUBEpI4PPehh0L1Z7m_YyBduqAh1VdDByVwVFHpRfddvbey_rkorMNBvuBfjiQ ca.crt: 1233 bytes namespace: 10 bytes #上面这个token就是登录用的token
为test绑定权限
#将上面定义的role(pod执行删除权限) kubectl create -f reloname.yaml #绑定权限 [root@master02 RBAC]# kubectl get rolebinding -n default NAME ROLE AGE ratel-log-view-sa-java1 ClusterRole/ratel-resource-readonly 3h47m ratel-log-view-sa-test ClusterRole/ratel-resource-readonly 161m ratel-pod-delete-sa-java1 ClusterRole/ratel-pod-delete 3h47m ratel-pod-delete-sa-test ClusterRole/ratel-pod-delete 141m ratel-pod-delete-test ClusterRole/ratel-pod-delete 146m ratel-pod-delete-test1 ClusterRole/ratel-pod-delete 19h ratel-pod-exec-sa-java1 ClusterRole/ratel-pod-exec 3h47m ratel-pod-exec-sa-test ClusterRole/ratel-pod-exec 141m ratel-pod-exec-test ClusterRole/ratel-pod-exec 146m ratel-pod-exec-test1 ClusterRole/ratel-pod-exec 19h ratel-pod-resource-edit-java1 ClusterRole/ratel-resource-edit 3h47m ratel-pod-resource-edit-test ClusterRole/ratel-resource-edit 141m ratel-resource-readonly-test ClusterRole/ratel-resource-readonly 146m ratel-resource-readonly-test1 ClusterRole/ratel-resource-readonly 19h [root@master02 RBAC]# kubectl get rolebinding -n default ratel-log-view-sa-test -o yaml [root@master02 RBAC]# kubectl get rolebinding -n default ratel-log-view-sa-test -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2021-12-17T09:01:38Z" labels: ratel: "true" username: test managedFields: - apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:ratel: {} f:username: {} f:roleRef: f:apiGroup: {} f:kind: {} f:name: {} f:subjects: {} manager: ratel operation: Update time: "2021-12-17T09:01:38Z" name: ratel-log-view-sa-test namespace: default resourceVersion: "1103861" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-log-view-sa-test uid: 7269173e-8a26-467f-9c8b-614139b5383d roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-resource-readonly subjects: - kind: ServiceAccount name: test namespace: kube-users #这里就简单的举一个例子,绑定其他权限和这一样,使用ratel图形化更方便哦
ratel项目地址:https://github.com/dotbalo/ratel-doc/blob/master/cluster/Install.md