GKE RBAC 演示项目教程

于 2024-08-28 08:18:15 发布
阅读量312 收藏 9
点赞数 3
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/gitblog_00279/article/details/141621502
版权

GKE RBAC 演示项目教程

gke-rbac-demoThis project covers two use cases for RBAC within a Kubernetes Engine cluster. First, assigning different permissions to user personas. Second, granting limited API access to an application running within your cluster. Since RBAC's flexibility can occasionally result in complex rules, you will also perform common steps for troubleshooting RBAC as a part of the second scenario.项目地址:https://gitcode.com/gh_mirrors/gk/gke-rbac-demo

1. 项目的目录结构及介绍

GKE RBAC 演示项目的目录结构如下:

gke-rbac-demo/
├── manifests/
│   ├── hello-server.yaml
│   ├── pod-labeler.yaml
│   └── rbac.yaml
├── terraform/
│   └── iam.tf
├── README.md
└── LICENSE

目录介绍

  • manifests/: 包含 Kubernetes 资源配置文件,如 hello-server.yamlpod-labeler.yaml,以及 RBAC 配置文件 rbac.yaml
  • terraform/: 包含 Terraform 配置文件,如 iam.tf,用于管理 IAM 资源。
  • README.md: 项目说明文档。
  • LICENSE: 项目许可证文件。

2. 项目的启动文件介绍

项目的启动文件主要位于 manifests/ 目录下,包括 hello-server.yamlpod-labeler.yaml

hello-server.yaml

该文件定义了一个简单的 Kubernetes 服务和部署,用于在不同命名空间中创建一个示例服务。

apiVersion: v1
kind: Service
metadata:
  name: hello-server
  namespace: dev
spec:
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: hello-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-server
  namespace: dev
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-server
  template:
    metadata:
      labels:
        app: hello-server
    spec:
      containers:
      - name: hello-server
        image: gcr.io/google-samples/hello-app:1.0
        ports:
        - containerPort: 8080

pod-labeler.yaml

该文件定义了一个角色、服务账户、角色绑定和部署,用于在 Kubernetes 集群中自动为 Pod 添加标签。

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-labeler
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "update"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pod-labeler
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-labeler
  namespace: default
subjects:
- kind: ServiceAccount
  name: pod-labeler
  namespace: default
roleRef:
  kind: Role
  name: pod-labeler
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pod-labeler
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: pod-labeler
  template:
    metadata:
      labels:
        app: pod-labeler
    spec:
      serviceAccountName: pod-labeler
      containers:
      - name: pod-labeler
        image: gcr.io/google-samples/pod-labeler:1.0
        command: ["/pod-labeler"]

3. 项目的配置文件介绍

项目的配置文件主要位于 terraform/ 目录下,包括 iam.tf

iam.tf

该文件使用 Terraform 定义了 IAM 资源,用于管理 Google Cloud 的 IAM 策略。

provider "google" {
  project = "your-project-id"
  region  = "us-central1"
}

resource "google_project_iam_member" "owner" {
  project = "your-project-id"
  role    = "roles/owner"
  member  = "user:owner@example.com"
}

resource "google_project_iam_member" "auditor" {
  project = "your-

gke-rbac-demoThis project covers two use cases for RBAC within a Kubernetes Engine cluster. First, assigning different permissions to user personas. Second, granting limited API access to an application running within your cluster. Since RBAC's flexibility can occasionally result in complex rules, you will also perform common steps for troubleshooting RBAC as a part of the second scenario.项目地址:https://gitcode.com/gh_mirrors/gk/gke-rbac-demo

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

伍希望

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值