一、User -- Rolebinding -- Role 一个Role对象只能用于授予对某一单一命名空间中资源的访问权限 1.创建命名空间 # cat namespace-dev.yaml apiVersion: v1kind: Namespacemetadata: name: development # kubectl get nsd
一个Role对象只能用于授予对某一单一命名空间中资源的访问权限
1.创建命名空间
# cat namespace-dev.yaml apiVersion: v1 kind: Namespace metadata: name: development
# kubectl get ns development Active 56s
2.在该命名空间是创建一个实例
kubectl create -f nginx-deployment.yaml -n development kubectl get pod -n development NAME READY STATUS RESTARTS AGE nginx-deployment-6dd86d77d-pqndm 1/1 Running 0 20s nginx-deployment-6dd86d77d-q268r 1/1 Running 0 20s nginx-deployment-6dd86d77d-zn4f4 1/1 Running 0 20s
3.使用当前系统的ca证书认证一个私有证书
# cd /etc/kubernetes/pki/ # openssl genrsa -out dev.key 2048 # openssl req -new -key dev.key -out dev.csr -subj "/CN=dev" # openssl x509 -req -in dev.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out dev.crt -days 3650 # openssl x509 -noout -text -in ./dev.crt
4.使用生成的证书创建一个用户
# kubectl config set-credentials dev --client-certificate=./dev.crt --client-key=./dev.key --embed-certs=true User "dev" set.
5.定义一个context
# kubectl config set-context [email protected] --cluster=kubernetes --user=dev --namespace=development Context "[email protected]" created.
6.role的创建
一个Role对象只能用于授予对某一单一命名空间中资源的访问权限,此处定义了role访问空间为development
kubectl create role pods-reader --verb=get,list,watch --resource=pods --dry-run -o yaml > role-demo.yaml # cat role-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pods-reader namespace: development rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch
# kubectl apply -f role-demo.yaml
7.创建rolebinding绑定角色
kubectl create rolebinding dev-read-pods --role=pods-reader --user=dev --dry-run -o yaml > rolebinding-demo.yaml # cat rolebinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: dev-read-pods namespace: development roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pods-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: dev
# kubectl apply -f rolebinding-demo.yaml
8.切换context
# kubectl config use-context [email protected] Switched to context "[email protected]". # kubectl get pods NAME READY STATUS RESTARTS AGE nginx-deployment-6dd86d77d-pqndm 1/1 Running 0 22m nginx-deployment-6dd86d77d-q268r 1/1 Running 0 22m nginx-deployment-6dd86d77d-zn4f4 1/1 Running 0 22m # kubectl get pod -n default Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" in the namespace "default"
# kubectl config use-context [email protected] Switched to context "[email protected]".
二、User --> Clusterrolebinding --> Clusterrole
1.创建clusterrole
# kubectl create clusterrole cluster-read --verb=get,list,watch --resource=pods,node --dry-run -o yaml > clusterrole-demo.yaml # cat clusterrole-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: cluster-read rules: - apiGroups: - "" resources: - pods - nodes verbs: - get - list - watch
2.clusterrolebinding定义
# kubectl create clusterrolebinding dev-read-all-pods --clusterrole=cluster-read --user=dev --dry-run -o yaml > clusterrolebinding-demo.yaml # cat clusterrolebinding-demo.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: creationTimestamp: null name: dev-read-all-pods roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-read subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: dev
3.删除前面的rolebinding的绑定
# kubectl delete rolebinding -n development dev-read-pods rolebinding.rbac.authorization.k8s.io "dev-read-pods" deleted
# kubeclt create -f clusterrole-demo.yaml -f clusterrolebinding-demo.yaml clusterrole.rbac.authorization.k8s.io/cluster-read created clusterrolebinding.rbac.authorization.k8s.io/dev-read-all-pods created
4.定义context
# kubectl config set-context [email protected] --cluster=kubernetes --user=dev Context "[email protected]" created.
5.切换context测试
# kubectl config use-context [email protected] Switched to context "[email protected]".
# kubectl get pod -n ingress-nginx NAME READY STATUS RESTARTS AGE nginx-ingress-controller-5694ccb578-9m8j8 1/1 Running 0 20d # kubectl get node NAME STATUS ROLES AGE VERSION k8s-1 Ready master 49d v1.14.2 k8s-2 Ready <none> 48d v1.14.2 k8s-3 Ready <none> 48d v1.14.2 k8s-4 Ready <none> 15d v1.14.2 k8s-5 Ready <none> 15d v1.14.2 # kubectl get svc Error from server (Forbidden): services is forbidden: User "dev" cannot list resource "services" in API group "" in the namespace "default"
# kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://20.0.20.101:6443 name: kubernetes contexts: - context: cluster: kubernetes namespace: development user: dev name: [email protected] - context: cluster: kubernetes user: dev name: [email protected] - context: cluster: kubernetes user: kubernetes-admin name: [email protected] current-context: [email protected] kind: Config preferences: {} users: - name: dev user: client-certificate-data: REDACTED client-key-data: REDACTED - name: kubernetes-admin user: client-certificate-data: REDACTED client-key-data: REDACTED
# kubectl config use-context [email protected] Switched to context "[email protected]"
三、User --> Rolebinding --> Clusterrole
1.删除前面绑定的cluster
# kubectl delete clusterrolebinding dev-read-all-pods clusterrolebinding.rbac.authorization.k8s.io "dev-read-all-pods" deleted
2.定义clusterrole
# kubectl create clusterrole clusterrole-role --verb=get,list,watch --resource=pods,node --dry-run -o yaml > clusterrole-rolebinding.yaml # vim clusterrole-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: clusterrole-role rules: - apiGroups: - "" resources: - pods - services verbs: - get - list - watch
3.定义rolebinding
# kubectl create rolebinding dev-read-pn --clusterrole=clusterrole-role --user=dev --dry-run -o yaml > rolebinding-clusterrole-demo.yaml # vim rolebinding-clusterrole-demo.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: dev-read-pod roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: clusterrole-role subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: dev
# kubectl apply -f clusterrole-rolebinding.yaml -f rolebinding-clusterrole-demo.yaml clusterrole.rbac.authorization.k8s.io/clusterrole-role created rolebinding.rbac.authorization.k8s.io/dev-read-pn created
4.切换context
# kubectl config use-context [email protected] Switched to context "[email protected]". # kubectl get pod No resources found. # kubectl get pod -A Error from server (Forbidden): pods is forbidden: User "dev" cannot list resource "pods" in API group "" at the cluster scope # kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE glusterfs-dynamic-db9abc87-9e0a-11e9-a2f3-00505694834d ClusterIP 10.103.125.206 <none> 1/TCP 13d
集群级别的资源nodes、persistentvolumes等资源,以及非资源型的URL不属于名称空间级别,故此不能使用rolebinding来绑定授权,所有非名称空间级别的资源都无法通过rolebinding绑定至用户并赋予用户相关的权限,这些都是属于clusterrolebinding 的功能