k8s通过sa和自建角色实现权限精细化分配
为什么要授权是因为sa内的secrets里的token只有在dashboard内使用,而上面的角色和角色绑定都是dev这个namespace内的,这样绑定后,拿到token才可以登录到dashboard的首页,否则都无法选择namespace。角色role-sa 具有的权限仅仅是namespaceplanck内的所有pod的查看权限,以及deployment的查看权限,无权删除修改这些资源。
·
文章目录
权限精细化分配—通过sa和自建角色实现权限精细化分配
1.新建sa
kubectl create sa lishanbin -n planck
2.建立一个角色,并将该角色绑定到sa上
角色role-sa 具有的权限仅仅是namespace planck内的所有pod的查看权限,以及deployment的查看权限,无权删除修改这些资源
[root@k8s-master ~]# cat sa-role-binding.yaml
#k8s 1.22.10
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: role-sa
namespace: planck #指定 Namespace
rules: #权限分配
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["pods/status"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["podtemplates"]
verbs: ["get","list","watch"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments","statefulsets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["replicationcontrollers"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["replicationcontrollers/status"]
verbs: ["get"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["services/status"]
verbs: ["get", "list", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbac-role-binding
namespace: planck #指定 Namespace
subjects:
- kind: ServiceAccount
name: lishanbin #指定 ServiceAccount
namespace: planck #指定 Namespace
roleRef:
kind: Role
name: role-sa
apiGroup: rbac.authorization.k8s.io
3.授权namespace的权限,设置ClusterRole和ClusterRolebinding
为什么要授权是因为sa内的secrets里的token只有在dashboard内使用,而上面的角色和角色绑定都是dev这个namespace内的,这样绑定后,拿到token才可以登录到dashboard的首页,否则都无法选择namespace。
cat rbac-cluster-role-binding.yaml
#k8s 1.22.10
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbac-namespace-role
rules:
- apiGroups: [""] #配置权限,配置其只用于 namespace 的 list 权限
resources: ["namespaces"]
verbs: ["list"]
- apiGroups: [""]
resources: ["namespaces/status"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbac-default-role-binding
subjects:
- kind: ServiceAccount
name: lishanbin #配置为自定义的 ServiceAccount
namespace: planck #指定为服务账户所在的 Namespace
roleRef:
kind: ClusterRole
name: rbac-namespace-role #配置上面的 Role
apiGroup: rbac.authorization.k8s.io
kubectl -n planck describe secret $(kubectl get secret -n planck | grep lishanbin | awk '{print $1}')
kubernetes的dashboard提供Token和kubeconfig两种认证方式,因此上面拿到token以后可以通过token进行访问planck这个ns下的资源了。
更多推荐
已为社区贡献6条内容
所有评论(0)