12-kubernetes RBAC 角色访问控制
授权插件,常用Node认证,ABAC,RBAC(Role-based AC),Webhook
-
角色(role)
-
operations
-
objects
-
角色绑定(rolebinding)
-
user account OR service acount
-
role
-
许可(permission)
-
集群角色(cluster role)
-
集群角色绑定(cluster rolebinding)
API:Request path
格式:/apis/<GROUP>/<VERSION>/namespaces/<NAMESPACE_NAME>/<KIND>[/OBJECT_ID]
kubectl api-version http://localhost:8080/apis/apps/v1/namespaces/default/deployments/myapp-deploy/ /apis/apps/v1 /apis/apps/b1beta1 /apis/apps/b1beta2
role创建方法
kubectl create role pods-reader -h kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml >/tmp/role-demo.yaml #查看 kubectl get role kubectl describe role pods-reader
绑定帐号到对应许可权限
kubectl create rolebinding leiyan-read-pods --role=pods-reader --user=leiyan --dry-run -o yaml kubectl describe rolebinding magedu-read-pods
Cluster role 创建方法
kubectl create clusterrole pods-reader -h kubectl create clusterrole cluster-reader --verb=get,list,watch --resource=pods --dry-run -o yaml >/tmp/clusterrole-demo.yaml #查看 kubectl get clusterrole kubectl describe clusterrole cluster-reader
绑定帐号到集群级许可权限
kubectl create clusterrolebinding leiyan-test --clusterrole=cluster-reader --user=leiyan --dry-run -o yaml kubectl describe clusterrolebinding leiyan-test
桂ICP备16010384号-1
停留在世界边缘,与之惜别