반응형
k8s의 Role에는 2가지 가 있음
- Namesapce단위에 부여하는 Role
- 클러스터단위에 부여하는 Role
- Cluster role은 Cluster 전체에해당하며 namespace에 종속되지 않음
Namespace가 부여되는 리소스
kubectl api-resources --namespaced=true- pods
- replicasets
- jobs
- deployments
- services
- secrets
- roles
- rolebindings
- cofigmaps
- PVC ....
Cluster에 범위안에 있는 리소스
kubectl api-resources --namespaced=false- nodes
- PV
- clusterroles
- clusterrolebindings
- certificatesigningrequests
- namespaces .....
Role 부여 방법
- Role 을 생성
- Role을 부여할 대상을 지정하는 Rolebinding을 생성
role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: developer
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list","get","create","update","delete"]role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: test_role_binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: developer
subjects:
- kind: User
name: dev-user
apiGroup: rbac.authorization.k8s.ioClusterRole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]ClusterRoleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io내가 가진 Role 으로 리소스 접근 가능 여부 확인 하기
kubectl auth can-i create deployments
kubectl auth can-i delete nodes
kubectl auth can-i create deployments --as test_user
kubectl auth can-i create pods --as dev-user
kubectl auth can-i create pods --as dev-user --namespace testPOD Authorization mode 확인
kubectl describe <pod_name> -n <name_spaces>
### --authorization-mode 항목 값 확인
리소스를 특정 유저의 권한으로 확인
kubectl get pods --as dev-user -n defaultk8s 명령어로 롤/롤 바인딩 생성
##api version은 edit로 설정
kubectl create role test_role -n blue --resource=deployments --verb=create
kubectl create rolebinding test_role_binding --role test_role -n blue --user dev-user반응형
'IT > Kubernetes' 카테고리의 다른 글
| [CKA시험준비] CKA시험 할인 쿠폰 코드 및 추천강의 (0) | 2021.06.30 |
|---|---|
| [CKA독학] Image security / security context / Network Policy (0) | 2021.06.28 |
| [CKA독학]Certificate API + kubeconfig (0) | 2021.06.16 |
| [CKA독학]Pod의 Multi container/Init container (0) | 2021.06.16 |
| [CKA독학]필수 시험 초기 설정 + 잡기술 (0) | 2021.06.11 |
