IT/CKA

[CKA독학] Role and Rolebinding

반응형

k8s의 Role에는 2가지 가 있음

  • Namesapce단위에 부여하는 Role
  • 클러스터단위에 부여하는 Role
    • Cluster role은 Cluster 전체에해당하며 namespace에 종속되지 않음

Namespace가 부여되는 리소스

kubectl api-resources --namespaced=true
  • pods
  • replicasets
  • jobs
  • deployments
  • services
  • secrets
  • roles
  • rolebindings
  • cofigmaps
  • PVC ....

Cluster에 범위안에 있는 리소스

kubectl api-resources --namespaced=false
  • nodes
  • PV
  • clusterroles
  • clusterrolebindings
  • certificatesigningrequests
  • namespaces .....

Role 부여 방법

  • Role 을 생성
  • Role을 부여할 대상을 지정하는 Rolebinding을 생성

role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list","get","create","update","delete"]

role-binding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test_role_binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: developer
subjects:
- kind: User
  name: dev-user
  apiGroup: rbac.authorization.k8s.io

ClusterRole.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

ClusterRoleBinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: manager # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io

내가 가진 Role 으로 리소스 접근 가능 여부 확인 하기

kubectl auth can-i create deployments
kubectl auth can-i delete nodes

kubectl auth can-i create deployments --as test_user
kubectl auth can-i create pods --as dev-user

kubectl auth can-i create pods --as dev-user --namespace test

POD Authorization mode 확인

kubectl describe <pod_name> -n <name_spaces>

### --authorization-mode 항목 값 확인

리소스를 특정 유저의 권한으로 확인

kubectl get pods --as dev-user -n default

k8s 명령어로 롤/롤 바인딩 생성

##api version은 edit로 설정
kubectl create role test_role -n blue --resource=deployments --verb=create
kubectl create rolebinding test_role_binding --role test_role -n blue --user dev-user
반응형
저작자표시 비영리

'IT > CKA' 카테고리의 다른 글

[CKA시험준비] CKA시험 할인 쿠폰 코드 및 추천강의  (0) 2021.06.30
[CKA독학] Image security / security context / Network Policy  (0) 2021.06.28
[CKA독학]Certificate API + kubeconfig  (0) 2021.06.16
[CKA독학]Pod의 Multi container/Init container  (0) 2021.06.16
[CKA독학]필수 시험 초기 설정 + 잡기술  (0) 2021.06.11

    티스토리툴바