哪里可以做宝盈网站,网站模板 寻模板,安徽省交通运输厅,网站域名怎么缴费RBAC引入了4个顶级资源对象#xff1a;Role、ClusterRole#xff1a;角色#xff0c;用于指定一组权限#xff1b;RoleBinding、ClusterRoleBinding#xff1a;角色绑定#xff0c;用于将角色#xff08;权限#xff09;赋予给对象 咱们通过Role可以配置命名空间下资源…RBAC引入了4个顶级资源对象Role、ClusterRole角色用于指定一组权限RoleBinding、ClusterRoleBinding角色绑定用于将角色权限赋予给对象 咱们通过Role可以配置命名空间下资源的访问权限例如podservicedeployment等资源是否可以修改删除等权限Role只能对命名空间内的资源进行授权需要指定nameapce ClusterRole是整个kubernetes下的资源的访问权限的控制跨namespaces的范围资源、非资源类型进行授权 我当前app整个命名空间下有一些pod我们以app这个命名空间创建一个xiaom的用户这个用户只能app这个命名空间下的PodDeployment的资源其他的资源没权限更改 [rootk8s-master1 RBAC]# kubectl get pods -n app -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES dsf-67b6bd65c9-44rl4 2/2 Running 16 (3h15m ago) 25d 10.10.135.218 k8s-master3 none none ingress-nginx-controller-74974c55bd-2bw2r 1/1 Running 6 (20h ago) 2d1h 192.168.21.100 k8s-node1 none none ingress-nginx-controller-74974c55bd-j24mf 1/1 Running 10 (3h15m ago) 31d 192.168.21.122 k8s-master3 none none nginx-55c7d65db4-z4rcc 1/1 Running 4 (20h ago) 2d1h 10.10.36.96 k8s-node1 none none postgres-sonar-5b9d94cd6b-965tk 1/1 Running 2 (3h15m ago) 2d1h 10.10.135.221 k8s-master3 none none tomcat-657677ffb5-2nrfc 1/1 Running 8 (3h15m ago) 26d 10.10.135.222 k8s-master3 none noneRole的配置示例 [rootk8s-master1 app]# kubectl apply -f app-Role.yaml role.rbac.authorization.k8s.io/app-authorization-Role created[rootk8s-master1 app]# cat app-Role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata:namespace: app #指定命名空间name: app-authorization-Role rules:- apiGroups: [ ] #支持的API组列表, 空字符串表示核心API群resources: [ pod ] #支持的资源对象列表verbs: [ get,delete,create,delete,exec ] #允许的对资源对象的操作方法列表apiGroups表示支持的API组列表“”,“apps”, “autoscaling”, “batch”; resources: 支持的资源对象列表 “services”, “endpoints”, “pods”,“secrets”,“configmaps”,“crontabs”,“deployments”,“jobs”, “nodes”,“rolebindings”,“clusterroles”,“daemonsets”,“replicasets”,“statefulsets”, “horizontalpodautoscalers”,“replicationcontrollers”,“cronjobs” verbs: 对资源对象的操作方法列表 “get”, “list”, “watch”, “create”, “update”, “patch”, “delete”, “exec” RoleBinding可以将同一namespace中的subject(用户、用户组)绑定到某个Role(规则)下则此subject即具有该Role定义的权限. [rootk8s-master1 app]# cat app-RoleBinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata:name: app-authorization-role-bindingnamespace: app subjects:- kind: Username: xiaomapiGroup: rbac.authorization.k8s.io roleRef:kind: Rolename: app-authorization-RoleapiGroup: rbac.authorization.k8s.io [rootk8s-master1 app]# kubectl apply -f app-RoleBinding.yaml创建一个xiaom的集群用户验证一下 [rootk8s-master1 user]# pwd /opt/certs/user (umask 077;openssl genrsa -out xiaom.key 2048) [rootk8s-master1 user]# openssl req -new -key xiaom.key -out xiaom.csr -subj /CNxiaom/Oxiaomgroup [rootk8s-master1 user]# openssl x509 -req -in xiaom.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out xiaom.crt -days 3650 [rootk8s-master1 app]# kubectl config set-cluster kubernetes --embed-certstrue --certificate-authority/opt/kubernetes/certs/ca.pem --serverhttps://192.168.21.120:6443 [rootk8s-master1 app]# kubectl config set-credentials xiaom --embed-certstrue --client-certificate/opt/certs/user/xiaom.crt --client-key/opt/certs/user/xiaom.key User xiaom set. [rootk8s-master1 app]# kubectl config set-context xiaomkubernetes --clusterkubernetes --userxiaom Context xiaomkubernetes modified. [rootk8s-master1 app]# kubectl config use-context xiaomkubernetes Switched to context xiaomkubernetes. [rootk8s-master1 ~]# kubectl get pods -n app NAME READY STATUS RESTARTS AGE dsf-67b6bd65c9-44rl4 2/2 Running 18 (17h ago) 26d host-path-nginx 2/2 Running 2 (17h ago) 17h ingress-nginx-controller-74974c55bd-2bw2r 1/1 Running 7 (17h ago) 2d22h ingress-nginx-controller-74974c55bd-j24mf 1/1 Running 11 (17h ago) 32d nginx-55c7d65db4-t6mgz 1/1 Running 0 79m postgres-sonar-5b9d94cd6b-965tk 1/1 Running 3 (141m ago) 2d22h tomcat-657677ffb5-2nrfc 1/1 Running 9 (17h ago) 26d [rootk8s-master1 ~]# kubectl get deployment -n app Error from server (Forbidden): deployments.apps is forbidden: User xiaom cannot list resource deployments in API group apps in the namespace app 咱们创建一个集群权限将这个权限赋予给xiaom这个用户当前xiaom这个用户没有操作deployment的权限咱们创建一个deployment的集群权限赋予给xiaom这个用户这样xiaom这个用户可以操作所有命名空间下的deployment ClusterRole可以对集群范围内资源、跨namespaces的范围资源、非资源类型进行授权 [rootk8s-master1 app]# kubectl apply -f app-ClusterRole.yaml clusterrole.rbac.authorization.k8s.io/app-authorization-clusterrole created [rootk8s-master1 app]# cat app-ClusterRole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:name: app-authorization-clusterrole rules:- apiGroups: [ apps ]resources: [ deployments ]verbs: [ get,delete,create,delete ]ClusterRoleBinding在整个集群级别和所有namespaces将不同namespace中的subject(用户、用户组)与ClusterRole(集群范围内资源)绑定授予权限 [rootk8s-master1 app]# kubectl apply -f app-ClusterRoleBinding.yaml clusterrolebinding.rbac.authorization.k8s.io/app-authorization-clusterrole-binding created [rootk8s-master1 app]# cat app-ClusterRoleBinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:name: app-authorization-clusterrole-binding subjects:- kind: Username: xiaomapiGroup: rbac.authorization.k8s.io roleRef:kind: ClusterRolename: app-authorization-clusterroleapiGroup: rbac.authorization.k8s.io RoleBinding可以引用ClusterRole对属于同一命名空间内ClusterRole定义的资源主体进行授权 [rootk8s-master1 app]# cat app-RoleClusterBinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata:name: app-ClusterRoleBindingnamespace: app subjects:- kind: Username: xiaomapiGroup: rbac.authorization.k8s.io roleRef:kind: ClusterRolename: app-authorization-clusterroleapiGroup: rbac.authorization.k8s.io [rootk8s-master1 app]# kubectl config use-context xiaomkubernetes [rootk8s-master1 app]# kubectl get deployment -A NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE app busybox 0/0 0 0 35d app dsf 1/1 1 1 26d app hostpath 0/0 0 0 35d app ingress-nginx-controller 2/2 2 2 32d app nginx 1/1 1 1 26d app postgres-sonar 1/1 1 1 3d app tomcat 1/1 1 1 32d kube-devops jenkins 1/1 1 1 2d4h kube-devops nexus-sonatype-nexus 1/1 1 1 2d4h kube-system calico-kube-controllers 1/1 1 1 2d23h kube-system coredns 1/1 1 1 2d22h kubernetes-dashboard dashboard-metrics-scraper 1/1 1 1 70d kubernetes-dashboard kubernetes-dashboard 1/1 1 1 70d nfs-provisioner nfs-subdir-external-provisioner 2/2 2 2 50d test tomcat-deploy 1/1 1 1 13d [rootk8s-master1 app]# kubectl delete deployment hostpath -n app deployment.apps hostpath deleted这样xiaom这个用户就有操作所有命名空间下的deployment的权限