实验环境

k8s环境参考: k8s-v.120.10 二进制部署指导文档

k8s之聚合ClusterRole

[root@k8s-master-1 kubectl]# cat aggregation.yaml 
# 创建一个聚合ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aggregation-selector
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.example.com/aggregation-pod: "true"
  - matchLabels:
      rbac.example.com/aggregation-service: "true"
rules: [] # 控制面自动填充这里的规则
# 创建另二个ClusterRole
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aggregation-pod
  labels:
    rbac.example.com/aggregation-pod: "true"
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aggregation-service
  labels:
    rbac.example.com/aggregation-service: "true"
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","list","watch"]
# 创建clusterrolebind将aggregation-selector授权给kubectl-test用户
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: aggregation-bind
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: aggregation-selector
subjects:
- kind: User
  name: kubectl-test
  apiGroup: rbac.authorization.k8s.io

[root@k8s-node-1 ~]# kubectl get pods
No resources found in default namespace.
You have new mail in /var/spool/mail/root
[root@k8s-node-1 ~]# kubectl get pods -A
NAMESPACE     NAME                                       READY   STATUS    RESTARTS   AGE
kube-system   calico-kube-controllers-855445d444-n2c4m   1/1     Running   4          2d17h
kube-system   calico-node-6pkz6                          1/1     Running   5          8d
kube-system   calico-node-8nz7s                          1/1     Running   2          8d
kube-system   calico-node-z7pwc                          1/1     Running   9          8d
kube-system   coredns-6f4c9cb7c5-hj9bj                   1/1     Running   5          8d
kube-system   metrics-server-68bdbcc6b-gk6cq             1/1     Running   5          8d
[root@k8s-node-1 ~]# kubectl get svc
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.0.0.1     <none>        443/TCP   9d
[root@k8s-node-1 ~]# kubectl get secret
Error from server (Forbidden): secrets is forbidden: User "kubectl-test" cannot list resource "secrets" in API group "" in the namespace "default"

总结:通过上述实验可以知道,聚合ClusterRole本来没有任何权限,而是通过clusterRoleSelectors选择了与标签匹配的ClusterRole,从而间接拥有了权限

参考文档
https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

# kubernetes # k8s
Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes