Role
- 定義權(quán)限規(guī)則,維度為namespace
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
-
verb種類:
["get","post","list", "watch", "create", "update", "patch", "delete"]
-
其他role示例
- 子資源死嗦,如pods的log
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-and-pod-logs-reader rules: - apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["get", "list"] - 通過name指定resources,當(dāng)指定了resourceNames時,verb不可以是 list, watch, create, or deletecollection
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: configmap-updater rules: - apiGroups: [""] resources: ["configmaps"] resourceNames: ["my-configmap"] verbs: ["update", "get"]
- 子資源死嗦,如pods的log
ClusterRole
在集群維度來定義用戶權(quán)限規(guī)則兜粘,忽略namespace
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
RoleBinding and ClusterRoleBinding
- 將權(quán)限賦予serviceAccount
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
- ClusterRoleBingding類似
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
- bindings綁定的對象可以為groups, users or service accounts.
操作實例-賦予admin權(quán)限的帳號
apiVersion: v1
kind: ServiceAccount
metadata:
name: hitsm-admin
namespace: hitsm
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: hitsm-admin
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-reader
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hitsm-admin
subjects:
- kind: ServiceAccount
name: hitsm-admin
namespace: hitsm
