16.kubernetes的RBAC
role 分为clsterrole和role
我们从普通的role 开始理解起
- [root@master ~]# kubectl create role pod-read --verb=get,list,watch --resource=pods --dry-run -o yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- creationTimestamp: null
- name: pod-read
- rules:
- - apiGroups:
- - ""
- resources:
- - pods
- verbs:
- - get
- - list
- - watch
- [root@master ~]# kubectl create rolebinding song-pod-read --role=pod-read --user=song --dry-run -o yaml
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- creationTimestamp: null
- name: song-pod-read
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: pod-read
- subjects:
- - apiGroup: rbac.authorization.k8s.io
- kind: User
- name: song
- [root@master ~]# kubectl create role pod-read --verb=get,list,watch --resource=pods
- role.rbac.authorization.k8s.io/pod-read created
- [root@master ~]# kubectl create rolebinding song-pod-read --role=pod-read --user=song
- rolebinding.rbac.authorization.k8s.io/song-pod-read created
再次切换我们的song用户,发现他可以再default 命名空间中来查看pod了- [root@master ~]# kubectl config use-context song@kubernetes
- Switched to context "song@kubernetes".
- [root@master ~]# kubectl get pods
- NAME READY STATUS RESTARTS AGE
- debian-869994669d-226qq / Running 21d
- filebeat-ds-msmst / Running 23d
- filebeat-ds-qkpd9 / Running 23d
- haproxy-598b6697db-d7h6w / Running 22d
- myapp-deploy-7769f49474-c7w49 / Running 21d
- myapp-deploy-7769f49474-r6xjr / Running 21d
- myapp-deploy-7769f49474-rwhfc / Running 24d
- myapp-deploy-7769f49474-vgshx / Running 24d
- myapp-deploy-7769f49474-xcf9m / Running 24d
- mysqlxx-784fdd7b55-x9czr-69b97d59d4-slspx / Running 21d
- pod-demo / Running 19d
- pod-sa / Running 37h
- redis-85b846ff9c-h7j72 / Running 23d
- redis-state- / CrashLoopBackOff 11d
- redis-state- / CrashLoopBackOff 10d
- tomcat-test-76789745c5-42c5d / Running 30d
- tomcat-test-76789745c5-5wzl7 / Running
在全局还是没有权限。
[root@master ~]# kubectl get pod --all-namespaces
Error from server (Forbidden): pods is forbidden: User "song" cannot list resource "pods" in API group "" at the cluster scope
使用clusterrole给用户授予跨命名空间的大权限
- [root@master ~]# kubectl config use-context kubernetes-admin@kubernetes
- Switched to context "kubernetes-admin@kubernetes".
- [root@master ~]# kubectl delete rolebindings.rbac.authorization.k8s.io song-pod-read
- rolebinding.rbac.authorization.k8s.io "song-pod-read" deleted
- [root@master ~]# kubectl create clusterrole all-pod-read --verb=get,list,watch --resource=pods
- clusterrole.rbac.authorization.k8s.io/all-pod-read created
- [root@master ~]# kubectl create clusterrolebinding song-all-pod-read --clusterrole=all-pod-read --user=song
- clusterrolebinding.rbac.authorization.k8s.io/song-all-pod-read created
- [root@master ~]# kubectl config use-context song@kubernetes
- Switched to context "song@kubernetes".
- [root@master ~]# kubectl get pod --all-namespaces
- NAMESPACE NAME READY STATUS RESTARTS AGE
- default debian-869994669d-226qq / Running 21d
- default filebeat-ds-msmst / Running 23d
- default filebeat-ds-qkpd9 / Running 23d
- default haproxy-598b6697db-d7h6w / Running 22d
- default myapp-deploy-7769f49474-c7w49 / Running 21d
- default myapp-deploy-7769f49474-r6xjr / Running 21d
- default myapp-deploy-7769f49474-rwhfc / Running 24d
- default myapp-deploy-7769f49474-vgshx / Running 24d
- default myapp-deploy-7769f49474-xcf9m / Running 24d
- default mysqlxx-784fdd7b55-x9czr-69b97d59d4-slspx / Running 21d
- default pod-demo / Running 19d
- default pod-sa / Running 37h
- default redis-85b846ff9c-h7j72 / Running 23d
- default redis-state- / CrashLoopBackOff 11d
- default redis-state- / CrashLoopBackOff 10d
- default tomcat-test-76789745c5-42c5d / Running 30d
- default tomcat-test-76789745c5-5wzl7 / Running 21d
- ingress-nginx nginx-ingress-controller-797b884cbc-zcqsv / Running 20d
- kube-system coredns-86c58d9df4-gs9x7 / Running 32d
- kube-system coredns-86c58d9df4-srzb9 / Running 32d
- kube-system etcd-master / Running 32d
- kube-system kube-apiserver-master / Running 32d
- kube-system kube-controller-manager-master / Running 32d
- kube-system kube-flannel-ds-amd64-2fkc8 / Running 31d
- kube-system kube-flannel-ds-amd64-cmjjg / Running 31d
- kube-system kube-flannel-ds-amd64-t4b42 / Running 32d
- kube-system kube-proxy-mdmp5 / Running 31d
- kube-system kube-proxy-qjvhv / Running 31d
- kube-system kube-proxy-rkh97 / Running 32d
- kube-system kube-scheduler-master / Running 32d
- kube-system kubernetes-dashboard-57df4db6b-fw58v / ImagePullBackOff 18d
一般 clusterRoleBinding 用来绑定clsterRole roleBinding 用来绑定 role
但是 roleBinding可以绑定 clusterRole 但是会造成 权限缩小到此命名空间
- [root@master ~]# kubectl delete clusterrolebindings.rbac.authorization.k8s.io song-all-pod-read
- clusterrolebinding.rbac.authorization.k8s.io "song-all-pod-read" deleted
- [root@master ~]# kubectl create rolebinding song-all-pod-read --clusterrole=all-pod-read --user=song
- rolebinding.rbac.authorization.k8s.io/song-all-pod-read created
- [root@master ~]# kubectl config use-context song@kubernetes
- Switched to context "song@kubernetes".
- [root@master ~]# kubectl get pod --all-namespaces
- Error from server (Forbidden): pods is forbidden: User "song" cannot list resource "pods" in API group "" at the cluster scope
集群最高权限查看
- [root@master ~]# kubectl describe clusterrole admin
- Name: admin
- Labels: kubernetes.io/bootstrapping=rbac-defaults
- Annotations: rbac.authorization.kubernetes.io/autoupdate: true
- PolicyRule:
- Resources Non-Resource URLs Resource Names Verbs
- --------- ----------------- -------------- -----
- rolebindings.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch]
- roles.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch]
- configmaps [] [] [create delete deletecollection patch update get list watch]
- endpoints [] [] [create delete deletecollection patch update get list watch]
- persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch]
- pods [] [] [create delete deletecollection patch update get list watch]
- replicationcontrollers/scale [] [] [create delete deletecollection patch update get list watch]
- replicationcontrollers [] [] [create delete deletecollection patch update get list watch]
- services [] [] [create delete deletecollection patch update get list watch]
- daemonsets.apps [] [] [create delete deletecollection patch update get list watch]
- deployments.apps/scale [] [] [create delete deletecollection patch update get list watch]
- deployments.apps [] [] [create delete deletecollection patch update get list watch]
- replicasets.apps/scale [] [] [create delete deletecollection patch update get list watch]
- replicasets.apps [] [] [create delete deletecollection patch update get list watch]
- statefulsets.apps/scale [] [] [create delete deletecollection patch update get list watch]
- statefulsets.apps [] [] [create delete deletecollection patch update get list watch]
- horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection patch update get list watch]
- cronjobs.batch [] [] [create delete deletecollection patch update get list watch]
- jobs.batch [] [] [create delete deletecollection patch update get list watch]
- daemonsets.extensions [] [] [create delete deletecollection patch update get list watch]
- deployments.extensions/scale [] [] [create delete deletecollection patch update get list watch]
- deployments.extensions [] [] [create delete deletecollection patch update get list watch]
- ingresses.extensions [] [] [create delete deletecollection patch update get list watch]
- networkpolicies.extensions [] [] [create delete deletecollection patch update get list watch]
- replicasets.extensions/scale [] [] [create delete deletecollection patch update get list watch]
- replicasets.extensions [] [] [create delete deletecollection patch update get list watch]
- replicationcontrollers.extensions/scale [] [] [create delete deletecollection patch update get list watch]
- networkpolicies.networking.k8s.io [] [] [create delete deletecollection patch update get list watch]
- poddisruptionbudgets.policy [] [] [create delete deletecollection patch update get list watch]
- deployments.apps/rollback [] [] [create delete deletecollection patch update]
- deployments.extensions/rollback [] [] [create delete deletecollection patch update]
- localsubjectaccessreviews.authorization.k8s.io [] [] [create]
- pods/attach [] [] [get list watch create delete deletecollection patch update]
- pods/exec [] [] [get list watch create delete deletecollection patch update]
- pods/portforward [] [] [get list watch create delete deletecollection patch update]
- pods/proxy [] [] [get list watch create delete deletecollection patch update]
- secrets [] [] [get list watch create delete deletecollection patch update]
- services/proxy [] [] [get list watch create delete deletecollection patch update]
- bindings [] [] [get list watch]
- events [] [] [get list watch]
- limitranges [] [] [get list watch]
- namespaces/status [] [] [get list watch]
- namespaces [] [] [get list watch]
- pods/log [] [] [get list watch]
- pods/status [] [] [get list watch]
- replicationcontrollers/status [] [] [get list watch]
- resourcequotas/status [] [] [get list watch]
- resourcequotas [] [] [get list watch]
- controllerrevisions.apps [] [] [get list watch]
- serviceaccounts [] [] [impersonate create delete deletecollection patch update get list watch]
[root@master ~]# kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]
16.kubernetes的RBAC的更多相关文章
- 16. kubernetes RBAC
16. kubernetes RBAC授权插件: Node,ABAC,RBAC,webhock RBAC: role based access contrl 基于角色的授权. 角色:(role)许可( ...
- Kubernetes之RBAC
API Server的授权管理 API Server 内部通过用户认证后,然后进入授权流程.对合法用户进行授权并且随后在用户访问时进行鉴权,是权限管理的重要环节.API Server 目前支持一下几种 ...
- Kubernetes的RBAC是啥
RBAC: Role-Based Access Control,基于角色的权限控制,有以下三种角色 Role:角色,它其实是一组规则,定义了一组API对象的操作权限 Subject:被作用者,可以是人 ...
- Kubernetes 基于 RBAC 的授权(十六)
目录 一.RBAC介绍 1.1.角色和集群角色 1.2.RoleBinding 和 ClusterRoleBinding 1.3.资源 1.4.主体 二.命令行工具 2.1.kubectl creat ...
- K8S从入门到放弃系列-(16)Kubernetes集群Prometheus-operator监控部署
Prometheus Operator不同于Prometheus,Prometheus Operator是 CoreOS 开源的一套用于管理在 Kubernetes 集群上的 Prometheus 控 ...
- 10、kubernetes之RBAC认证
一.kubectl proxy # kubectl proxy --port=8080 # curl http://localhost:8080/api/v1/ # curl http://local ...
- kubernetes 1.6 RBAC访问控制
一.简介 之前,Kubernetes中的授权策略主要是ABAC(Attribute-Based Access Control).对于ABAC,Kubernetes在实现上是比较难用的,而且需要Mast ...
- 二进制安装部署kubernetes集群---超详细教程
本文收录在容器技术学习系列文章总目录 前言:本篇博客是博主踩过无数坑,反复查阅资料,一步步搭建完成后整理的个人心得,分享给大家~~~ 本文所需的安装包,都上传在我的网盘中,需要的可以打赏博主一杯咖啡钱 ...
- 手动部署 kubernetes HA 集群
前言 关于kubernetes HA集群部署的方式有很多种(这里的HA指的是master apiserver的高可用),比如通过keepalived vip漂移的方式.haproxy/nginx负载均 ...
随机推荐
- Arcgis瓦片--数据获取
Arcgis的二维地图瓦片有两种获取方式 1.在Arcmap中对配置好的地图进行切图,生成对应瓦片 2.使用第三方的地图下载器,直接下载,导出成arcgis瓦片格式即可使用. 备注:这里主要介绍第二种 ...
- c或c++利用scanf无限输入并进行简单操作如比大小等
#include <iostream> using namespace std; int main() { ; ) //scanf返回值为int类型表示成功输入的数据数量个数 { if(n ...
- 对国内IoT的展望
这个世界上让任何人最安心的,莫过于自己能够完全控制,反之什么都无法控制的,万念俱灰之下,最后只有自我了结.芸芸众生都是在这个之间徘徊,尽可能的去掌控,尽可能的去拥有,觉得能够安心,其实只是自由的内心被 ...
- 章节十、1-用ID和XPath、name定位元素
一.在定位元素时需要HTML标签,HTML是超文本标记语言,我们打开web网页是看到的内容就是通过html语言来实现的,按键盘“F12”调用开发者选项后,“Elements”栏中显示的就是网页的HTM ...
- 01-vue学习之前的准备
一.具备的基础知识 1.扎实的HTML/CSS/Javascript基本功,这是前置条件. 2.不要用任何的构建项目工具,只用最简单的<script>,把教程里的例子模仿一遍,理解用法.不 ...
- MySQL自增列(AUTO_INCREMENT)相关知识点总结
MySQL的自增列(AUTO_INCREMENT)和其它数据库的自增列对比,有很多特性和不同点(甚至不同存储引擎.不同版本也有一些不同的特性),让人感觉有点稍微复杂.下面我们从一些测试开始,来认识 ...
- 修改vue element Transfer 穿梭框里内容区的宽度
<template> <el-transfer v-model="value1" :data="data"></el-transf ...
- Asp.net Core应用程序部署为服务
安装前使用dotnet命令运行下看网站能不能正常运行 1.下载nssm,下载后解压文件 下载地址:https://nssm.cc/usage 2.使用命令行工具进入到nssm的目录: 3.执行服务安装 ...
- mysql 的远程链接字符
默认情况下,mysql只允许本地登录,如果要开启远程连接,则需要修改/etc/mysql/my.conf文件. 一.修改/etc/mysql/my.conf找到bind-address = 127.0 ...
- spark-2.4.0-hadoop2.7-高可用(HA)安装部署
1. 主机规划 主机名称 IP地址 操作系统 部署软件 运行进程 备注 mini01 172.16.1.11[内网] 10.0.0.11 [外网] CentOS 7.5 Jdk-8.zookeepe ...