权限精细化分配—通过sa和自建角色实现权限精细化分配

1.新建sa

kubectl create sa lishanbin -n planck

2.建立一个角色,并将该角色绑定到sa上

角色role-sa 具有的权限仅仅是namespace planck内的所有pod的查看权限,以及deployment的查看权限,无权删除修改这些资源

[root@k8s-master ~]# cat sa-role-binding.yaml 
#k8s 1.22.10
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-sa
  namespace: planck                         #指定 Namespace
rules:                                      #权限分配
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["pods/attach"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["pods/status"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["podtemplates"]
    verbs: ["get","list","watch"]
  - apiGroups: ["extensions", "apps"]
    resources: ["deployments","statefulsets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["replicationcontrollers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["replicationcontrollers/status"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["services/status"]
    verbs: ["get", "list", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rbac-role-binding
  namespace: planck                 #指定 Namespace
subjects:
  - kind: ServiceAccount
    name: lishanbin                 #指定 ServiceAccount
    namespace: planck              #指定 Namespace
roleRef:
  kind: Role
  name: role-sa
  apiGroup: rbac.authorization.k8s.io

3.授权namespace的权限,设置ClusterRole和ClusterRolebinding

为什么要授权是因为sa内的secrets里的token只有在dashboard内使用,而上面的角色和角色绑定都是dev这个namespace内的,这样绑定后,拿到token才可以登录到dashboard的首页,否则都无法选择namespace。

cat rbac-cluster-role-binding.yaml 
#k8s 1.22.10
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rbac-namespace-role
rules:
  - apiGroups: [""]                     #配置权限,配置其只用于 namespace 的 list 权限
    resources: ["namespaces"]
    verbs: ["list"]
  - apiGroups: [""]
    resources: ["namespaces/status"]
    verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rbac-default-role-binding
subjects:
  - kind: ServiceAccount
    name: lishanbin                     #配置为自定义的 ServiceAccount
    namespace: planck                  #指定为服务账户所在的 Namespace
roleRef:
  kind: ClusterRole
  name: rbac-namespace-role             #配置上面的 Role
  apiGroup: rbac.authorization.k8s.io



kubectl -n planck describe secret $(kubectl get secret -n planck | grep lishanbin | awk '{print $1}')

kubernetes的dashboard提供Token和kubeconfig两种认证方式,因此上面拿到token以后可以通过token进行访问planck这个ns下的资源了。

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐