RBAC 可授權對象
- Pods
- ConfigMaps
- Deployments
- Nodes
- Secrets
- Namespaces
- endpoints
- crontabs
- jobs
- Daemonsets
以上資源對象可授權操作有:
- create
- get
- delete
- list
- update
- edis
- watch
- exec
創建一個用戶對dev namespace下的Pod只有create和get權限
創建Cluster
kubectl config set-cluster dev-cluster --server=https://192.168.3.134:6443 --insecure-skip-tls-verify
創建用戶
- 給dev用戶創建一個私鑰,命名爲dev.key
openssl genrsa -out dev.key 2048
- 利用私鑰創建一個證書
openssl req -new -key dev.key -out dev.csr -subj "/CN=dev-user/O=devorg"
- 利用搭建kubernetes集羣的ca相關證書生產最終文件
openssl x509 -req -in dev.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dev.crt -days 500
- 利用剛剛創建的證書文件和私鑰文件創建dev-user用戶
kubectl config set-credentials dev-user--client-certificate=dev.crt --client-key=dev.key
- 創建上下文(Context)
kubectl config set-context dev-context --cluster=dev-cluster --namespace=dev --user=dev-user
- 驗證
[root@master-1 rbac]# kubectl get pods --context=dev-context
Error from server (Forbidden): pods is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "dev"
到這裏用戶已經創建完成,這裏出錯是因爲還沒有給用戶定義任何操作權限
授權
創建權限
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-role
namespace: dev
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list","get","create"] # 也可以使用['*']授予所有權限
用戶與權限綁定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-rolebinding
namespace: dev
subjects:
- kind: User
name: dev-user
apiGroup: ""
roleRef:
kind: Role
name: dev-role
apiGroup: ""
驗證
切換context
kubectl config use-context dev-context
創建pod
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: dev
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
[root@master-1 rbac]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 21m
刪除pod測試
[root@master-1 rbac]# kubectl delete pod nginx
Error from server (Forbidden): pods "nginx" is forbidden: User "dev-user" cannot delete resource "pods" in API group "" in the namespace "dev"