鎮樓圖
簡單說下創建流程
第一步:role准備,就是一些權限預設的權限
第二步:創建serviceaccount(簡寫為sa),同時會生成一個sa名字開頭的secret
第三步:將之前預設的role binding到sa。
權限准備---->用戶准備------>權限和用戶綁定
實操
准備存放用戶名的命名空間
kubectl create ns kube-users
# 創建命名空間中的所有service account 允許查看namespace權限 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit: "true" name: ratel-namespace-readonly rules: - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch --- #將上面定義的權限綁定到kube-users命名空間用戶組 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ratel-namespace-readonly roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-namespace-readonly subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccount:kube-users #將上面的內容保存下來為namespacerelo.yaml kubectl apply -f namespacerelo.yaml
創建查看namespace資源的權限
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-resource-readonly rules: - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - deployments - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods verbs: - get - list - watch
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-pod-exec rules: - apiGroups: - "" resources: - pods - pods/log verbs: - get - list - apiGroups: - "" resources: - pods/exec verbs: - create
創建pod刪除權限
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ratel-pod-delete rules: - apiGroups: - "" resources: - pods verbs: - get - list - delete
kubectl create serviceaccount test -n kube-users #驗證 [root@master02 RBAC]# kubectl get sa -n kube-users NAME SECRETS AGE default 1 32h test 1 23s #查看同時創建secret [root@master02 RBAC]# kubectl get secrets -n kube-users NAME TYPE DATA AGE default-token-484gz kubernetes.io/service-account-token 3 32h test-token-2zx6t kubernetes.io/service-account-token 3 74s #查看test的token [root@master02 RBAC]# kubectl describe secrets -n kube-users test-token-2zx6t Name: test-token-2zx6t Namespace: kube-users Labels: <none> Annotations: kubernetes.io/service-account.name: test kubernetes.io/service-account.uid: 4b824424-c7f8-4d06-af04-83703f3b35b8 Type: kubernetes.io/service-account-token Data ==== token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlkwbmFPNXllaFZUVm15d0l5Zi1YTjBhLUVfVEFzdmJxcnZDU1FpT1l5eGcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXVzZXJzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRlc3R0LXRva2VuLTJ6eDZ0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InRlc3R0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNGI4MjQ0MjQtYzdmOC00ZDA2LWFmMDQtODM3MDNmM2IzNWI4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtdXNlcnM6dGVzdHQifQ.1ObiHFdqn0YNqtFsnmS5jSRIztdu2lep0nF_6F3Z417Ed5LFU-H35tWuhRYbUTdiTxv6r9W8MgFsDM6s9zGk4O8adZgWOG-AuGP2krbsjNTW0_MRvzy4SkIdCxzsngjyujP51iHKJ5LtwN4hZ1-WU2orf8BHavRYZZdIzB3GbTXYkNt2ZgHgZMMRvxn3M6HjTnsgS6skOKpU7Z4u0RyEFAOdQP5W85Gqm3aMXqpr9Vi8MO0CLX06hOhfkP-8F0uF2br8vxo-5Q5k3SCfhCgsYLHZQUBEpI4PPehh0L1Z7m_YyBduqAh1VdDByVwVFHpRfddvbey_rkorMNBvuBfjiQ ca.crt: 1233 bytes namespace: 10 bytes #上面這個token就是登錄用的token
為test綁定權限
#將上面定義的role(pod執行刪除權限) kubectl create -f reloname.yaml #綁定權限 [root@master02 RBAC]# kubectl get rolebinding -n default NAME ROLE AGE ratel-log-view-sa-java1 ClusterRole/ratel-resource-readonly 3h47m ratel-log-view-sa-test ClusterRole/ratel-resource-readonly 161m ratel-pod-delete-sa-java1 ClusterRole/ratel-pod-delete 3h47m ratel-pod-delete-sa-test ClusterRole/ratel-pod-delete 141m ratel-pod-delete-test ClusterRole/ratel-pod-delete 146m ratel-pod-delete-test1 ClusterRole/ratel-pod-delete 19h ratel-pod-exec-sa-java1 ClusterRole/ratel-pod-exec 3h47m ratel-pod-exec-sa-test ClusterRole/ratel-pod-exec 141m ratel-pod-exec-test ClusterRole/ratel-pod-exec 146m ratel-pod-exec-test1 ClusterRole/ratel-pod-exec 19h ratel-pod-resource-edit-java1 ClusterRole/ratel-resource-edit 3h47m ratel-pod-resource-edit-test ClusterRole/ratel-resource-edit 141m ratel-resource-readonly-test ClusterRole/ratel-resource-readonly 146m ratel-resource-readonly-test1 ClusterRole/ratel-resource-readonly 19h [root@master02 RBAC]# kubectl get rolebinding -n default ratel-log-view-sa-test -o yaml [root@master02 RBAC]# kubectl get rolebinding -n default ratel-log-view-sa-test -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2021-12-17T09:01:38Z" labels: ratel: "true" username: test managedFields: - apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: .: {} f:ratel: {} f:username: {} f:roleRef: f:apiGroup: {} f:kind: {} f:name: {} f:subjects: {} manager: ratel operation: Update time: "2021-12-17T09:01:38Z" name: ratel-log-view-sa-test namespace: default resourceVersion: "1103861" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/ratel-log-view-sa-test uid: 7269173e-8a26-467f-9c8b-614139b5383d roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ratel-resource-readonly subjects: - kind: ServiceAccount name: test namespace: kube-users #這里就簡單的舉一個例子,綁定其他權限和這一樣,使用ratel圖形化更方便哦
ratel項目地址:https://github.com/dotbalo/ratel-doc/blob/master/cluster/Install.md