不管是role,rolebinding还是clusterRole,clusterRolebinding都是资源清单中的标准资源
我们创建linuxea-readpod和linuxea-cluster-read分别示例RBAC对权限的控制,图示如下:
可以使用kubectl create role --help
查看帮助信息
创建ROLE
创建role,对pods有get,list权限,使用-dry-run
运行是否有误
[root@linuxea ~]# kubectl create role pods-read --verb=get,list,watch --resource=pods --dry-run
role.rbac.authorization.k8s.io/pods-read created (dry run)
甚至于可以使用-o yaml
输出yaml格式
[root@linuxea role]# kubectl create role pods-read --verb=get,list,watch --resource=pods --dry-run -o yaml >> ./role-demo.yaml
随后编辑添加上namespace:default
[root@linuxea role]# cat ./role-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: pods-read
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
apply
[root@linuxea role]# kubectl apply -f ./role-demo.yaml
role.rbac.authorization.k8s.io/pods-read created
[root@linuxea role]# kubectl get role
NAME AGE
pods-read 3s
[root@linuxea role]# kubectl describe pods-read
error: the server doesn't have a resource type "pods-read"
[root@linuxea role]# kubectl describe role pods-read
Name: pods-read
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"creationTimestamp":null,"name":"pods-read","namespace":"defaul...
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
其中可以针对某一个资源做限制
objects:Resources(资源名称)
下的 某个Resource Name(资源类别)
Non-Resource URLs(非资源URL,不能对于成对象的资源,是定义成某种特殊操作)
PolicyRule
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods [] [] [get list watch]
此前创建了一个用户linuxea,linuxea用户并没有权限读取pod,此刻让linuxea扮演此role,那么就需要绑定rolebinding
创建Rolebinding
而rolebinding可以绑定role和clusterrole,我们选择role绑定,而后指定username或者groupname,如果绑定不是普通账号,而是service账号,就需要指定serviceaccount的名称
现在将之前创建的linxea绑定到pods-read的role上
创建一个叫linuxea-readpod
的rolebinding,指定上述创建的role名称,绑定到pods-read ,指定--user=linuxea; 这个账号不存在系统上,只是标识
[root@linuxea role]# kubectl create rolebinding linuxea-readpod --role=pods-read --user=linuxea --dry-run -o yaml >> ./rolebinding-demo.yaml
而在yaml文件定义中明确定义了roleRef的api组,组内的kind类型和名称。用户的api组,和组内的kind和用户名
[root@linuxea role]# cat ./rolebinding-demo.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: linuxea-readpod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pods-read
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: linuxea
apply
[root@linuxea role]# kubectl apply -f rolebinding-demo.yaml
rolebinding.rbac.authorization.k8s.io/linuxea-readpod created
[root@linuxea role]# kubectl get rolebinding
NAME AGE
linuxea-readpod 11s
[root@linuxea role]# kubectl describe rolebinding linuxea-readpod
Name: linuxea-readpod
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"linuxea-readpod","names...
Role:
Kind: Role
Name: pods-read
Subjects:
Kind Name Namespace
---- ---- ---------
User linuxea
此刻,linuxea用户已经拥有了get,list权限。现在切换到linuxea用户get pods
[root@linuxea ~]# kubectl config use-context linuxea@kubernetes
Switched to context "linuxea@kubernetes".
在看当前的用户则是current-context: linuxea@kubernetes
[root@linuxea ~]# kubectl config view
....
- context:
cluster: kubernetes
user: linuxea
name: linuxea@kubernetes
current-context: linuxea@kubernetes
....
而后get pods,由于之前对当前名称空的pods有get,list权限,查看是没有问题的
[root@linuxea ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
linuxea-sa-demo 1/1 Running 0 1d
linuxea-tomcat-group-b77666d76-4h5mz 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-89qnx 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-gvm4w 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-jszbg 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-l5nkq 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-lxr8r 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-m5sxg 1/1 Running 0 3d
satefulset-0 1/1 Running 0 5d
satefulset-1 1/1 Running 0 5d
satefulset-2 1/1 Running 0 5d
satefulset-3 1/1 Running 0 5d
satefulset-4 1/1 Running 0 5d
其他删除也没权限操作
[root@linuxea ~]# kubectl delete pods linuxea-tomcat-group-b77666d76-4h5mz
Error from server (Forbidden): pods "linuxea-tomcat-group-b77666d76-4h5mz" is forbidden: User "linuxea" cannot delete pods in the namespace "default"
其他名称空间仍然没有权限
[root@linuxea ~]# kubectl get svc
No resources found.
Error from server (Forbidden): services is forbidden: User "linuxea" cannot list services in the namespace "default"
[root@linuxea ~]# kubectl get pods -n ingress-nginx
No resources found.
Error from server (Forbidden): pods is forbidden: User "linuxea" cannot list pods in the namespace "ingress-nginx"
[root@linuxea ~]#
创建Cluster role
回到管理员账号创建clusterrole
[root@linuxea ~]# kubectl config use-context kubernetes-admin@kubernetes
Switched to context "kubernetes-admin@kubernetes".
将配置追加到./clusterrole.yaml
中.
创建一个名称为linuxea-cluster-read的clusterrole,权限是list和get,watch。在clusterrole中,授权集群级别
[root@linuxea role]# kubectl create clusterrole linuxea-cluster-read --verb=get,list,watch --resource=pods -o yaml --dry-run >> ./clusterrole.yaml
而后apply
[root@linuxea role]# kubectl apply -f clusterrole.yaml
clusterrole.rbac.authorization.k8s.io/linuxea-cluster-read created
使用kubectl get clusterrole
查看已经被创建的linuxea-cluster-read
[root@linuxea role]# kubectl get clusterrole
NAME AGE
....
linuxea-cluster-read 13m
....
现在将linuxea用户绑定到clusterrolebinding上,先将刚才绑定的rolebinding删除
[root@linuxea role]# kubectl get rolebinding
NAME AGE
linuxea-readpod 1h
[root@linuxea role]# kubectl delete rolebinding linuxea-readpod
rolebinding.rbac.authorization.k8s.io "linuxea-readpod" deleted
现在linuxea账号对任何名称空间都没有任何权限。并且已经创建好了cluster role。接着创建clusterrolebinding绑定
创建Clusterrolebinding
clusterrolebinding只能绑定clusterrole.
创建一个clusterrolebinding名称为linuxea-cluster-read,名称和clusterrole一样,绑定到clusterrolebinding的linuxea-cluster-read上
[root@linuxea role]# kubectl create clusterrolebinding linuxea-cluster-read --clusterrole=linuxea-cluster-read --user=linuxea --dry-run -o yaml >> ./clusterrolebinding.yaml
[root@linuxea role]# cat ./clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: linuxea-cluster-read
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: linuxea-cluster-read
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: linuxea
使用kubectl get clusterrolebinding
查看创建已经完成的clusterrolebinding
[root@linuxea role]# kubectl get clusterrolebinding
NAME AGE
.....
linuxea-cluster-read 22s
.....
查看创建的clusterrolebinding的describe信息
[root@linuxea role]# kubectl describe clusterrolebinding linuxea-cluster-read
Name: linuxea-cluster-read
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"linuxea-clu...
Role:
Kind: ClusterRole
Name: linuxea-cluster-read
Subjects:
Kind Name Namespace
---- ---- ---------
User linuxea
而后切换到linuxea用户下,验证下授予的clusterrole权限
[root@linuxea role]# kubectl config use-context linuxea@kubernetes
Switched to context "linuxea@kubernetes".
之前授权的是名称空间下的pod的list,get
[root@linuxea role]# kubectl get pods
NAME READY STATUS RESTARTS AGE
linuxea-sa-demo 1/1 Running 0 2d
linuxea-tomcat-group-b77666d76-4h5mz 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-89qnx 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-gvm4w 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-jszbg 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-l5nkq 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-lxr8r 1/1 Running 0 3d
linuxea-tomcat-group-b77666d76-m5sxg 1/1 Running 0 3d
satefulset-0 1/1 Running 0 5d
satefulset-1 1/1 Running 0 5d
satefulset-2 1/1 Running 0 5d
satefulset-3 1/1 Running 0 5d
satefulset-4 1/1 Running 0 5d
换名称空间到pods -n kube-system
[root@linuxea role]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-78fcdf6894-mvdln 1/1 Running 0 19d
coredns-78fcdf6894-zwqfw 1/1 Running 0 19d
etcd-linuxea.master-1.com 1/1 Running 0 19d
kube-apiserver-linuxea.master-1.com 1/1 Running 0 19d
kube-controller-manager-linuxea.master-1.com 1/1 Running 0 19d
kube-flannel-ds-amd64-5swqs 1/1 Running 0 19d
kube-flannel-ds-amd64-fwzjl 1/1 Running 0 19d
kube-flannel-ds-amd64-gtqhv 1/1 Running 0 19d
kube-flannel-ds-amd64-qmhq9 1/1 Running 0 19d
kube-proxy-64jwb 1/1 Running 0 19d
kube-proxy-sllmj 1/1 Running 0 19d
kube-proxy-tzdlj 1/1 Running 0 19d
kube-proxy-vwtx4 1/1 Running 0 19d
kube-scheduler-linuxea.master-1.com 1/1 Running 0 19d
或者名称空间ingress-nginx
[root@linuxea role]# kubectl get pods -n ingress-nginx
NAME READY STATUS RESTARTS AGE
default-http-backend-6586bc58b6-n9qbt 1/1 Running 0 19d
nginx-ingress-controller-6bd7c597cb-krz4m 1/1 Running 0 19d
当然,除了授权的list,get之外,其他没授权的都是拒绝的,也就是说没有权限的
[root@linuxea role]# kubectl delete pods kube-flannel-ds-amd64-qmhq9
Error from server (Forbidden): pods "kube-flannel-ds-amd64-qmhq9" is forbidden: User "linuxea" cannot delete pods in the namespace "default"