在RBAC中的几个概念:
Rules:规定一组可以在不同api group上的资源执行的规则(verbs)
Role与ClusterRoles:都是包括一组规则(rules)两者不同在于,Role针对的是一个namespace中,ClusterRoles针对整个集群
Subject:有三种Subjects,Service Account、User Account、Groups,参照官方文档主要区别是User Account针对人,Service Accounts针对运行在Pods中运行的进程。
RoleBindings与ClusterRoleBindins:将Subject绑定到Role或ClusterRoles。其区别在于:RoleBinding将使规则在命名空间内生效,而ClusterRoleBinding将使规则在所有命名空间中生效
验证如下
创建空间 生成私钥和证书
kubectl create namespace test
openssl genrsa -out wolken.key 2048
openssl req -new -key wolken.key -out wolken.csr -subj "/CN=wolken/O=test"
openssl x509 -req -in wolken.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out wolken.crt -days 30
创建用户
[root@master ssl]# kubectl config set-credentials wolken --client-certificate=/root/ssl/wolken.crt --client-key=/root/ssl/wolken.key
User "wolken" set.
创建content
[root@master ssl]# kubectl config set-context wolken-context --cluster=kubernetes --namespace=test --user=wolken
Context "wolken-context" created.
用wolken用户查看pods发现没有权限
[root@master ssl]# kubectl --context=wolken-context get pods
Error from server (Forbidden): pods is forbidden: User "wolken" cannot list resource "pods" in API group "" in the namespace "test"
给wolken授权
[root@master ssl]# cat role.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: test
name: role-hy
rules:
- apiGroups: ["","extensions","apps"]
resources: ["pods"]
verbs: ["get","watch","list"]
[root@master ssl]# kubectl apply -f role.yml
role.rbac.authorization.k8s.io/role-hy created
[root@master ssl]# cat role-bind.yml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: rolebind-hy
namespace: test
subjects:
- kind: User
name: wolken
roleRef:
kind: Role
name: role-hy
apiGroup: ""
发现已经可以了
kubectl --context=wolken-context get pods