role 分为clsterrole和role
我们从普通的role 开始理解起
[root@master ~]# kubectl create role pod-read --verb=get,list,watch --resource=pods --dry-run -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: pod-read rules: - apiGroups: - "" resources: - pods verbs: - get - list - watch [root@master ~]# kubectl create rolebinding song-pod-read --role=pod-read --user=song --dry-run -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: null name: song-pod-read roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pod-read subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: song [root@master ~]# kubectl create role pod-read --verb=get,list,watch --resource=pods role.rbac.authorization.k8s.io/pod-read created [root@master ~]# kubectl create rolebinding song-pod-read --role=pod-read --user=song rolebinding.rbac.authorization.k8s.io/song-pod-read created
再次切换我们的song用户,发现他可以再default 命名空间中来查看pod了 [root@master ~]# kubectl config use-context song@kubernetes Switched to context "song@kubernetes". [root@master ~]# kubectl get pods NAME READY STATUS RESTARTS AGE debian-869994669d-226qq 1/1 Running 186 21d filebeat-ds-msmst 1/1 Running 0 23d filebeat-ds-qkpd9 1/1 Running 0 23d haproxy-598b6697db-d7h6w 1/1 Running 1 22d myapp-deploy-7769f49474-c7w49 1/1 Running 0 21d myapp-deploy-7769f49474-r6xjr 1/1 Running 0 21d myapp-deploy-7769f49474-rwhfc 1/1 Running 0 24d myapp-deploy-7769f49474-vgshx 1/1 Running 0 24d myapp-deploy-7769f49474-xcf9m 1/1 Running 0 24d mysqlxx-784fdd7b55-x9czr-69b97d59d4-slspx 1/1 Running 0 21d pod-demo 2/2 Running 0 19d pod-sa 1/1 Running 0 37h redis-85b846ff9c-h7j72 1/1 Running 0 23d redis-state-0 0/1 CrashLoopBackOff 3283 11d redis-state-1 0/1 CrashLoopBackOff 3073 10d tomcat-test-76789745c5-42c5d 1/1 Running 0 30d tomcat-test-76789745c5-5wzl7 1/1 Running
在全局还是没有权限。
[root@master ~]# kubectl get pod --all-namespaces
Error from server (Forbidden): pods is forbidden: User "song" cannot list resource "pods" in API group "" at the cluster scope
使用clusterrole给用户授予跨命名空间的大权限
[root@master ~]# kubectl config use-context kubernetes-admin@kubernetes Switched to context "kubernetes-admin@kubernetes". [root@master ~]# kubectl delete rolebindings.rbac.authorization.k8s.io song-pod-read rolebinding.rbac.authorization.k8s.io "song-pod-read" deleted [root@master ~]# kubectl create clusterrole all-pod-read --verb=get,list,watch --resource=pods clusterrole.rbac.authorization.k8s.io/all-pod-read created [root@master ~]# kubectl create clusterrolebinding song-all-pod-read --clusterrole=all-pod-read --user=song clusterrolebinding.rbac.authorization.k8s.io/song-all-pod-read created [root@master ~]# kubectl config use-context song@kubernetes Switched to context "song@kubernetes". [root@master ~]# kubectl get pod --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE default debian-869994669d-226qq 1/1 Running 186 21d default filebeat-ds-msmst 1/1 Running 0 23d default filebeat-ds-qkpd9 1/1 Running 0 23d default haproxy-598b6697db-d7h6w 1/1 Running 1 22d default myapp-deploy-7769f49474-c7w49 1/1 Running 0 21d default myapp-deploy-7769f49474-r6xjr 1/1 Running 0 21d default myapp-deploy-7769f49474-rwhfc 1/1 Running 0 24d default myapp-deploy-7769f49474-vgshx 1/1 Running 0 24d default myapp-deploy-7769f49474-xcf9m 1/1 Running 0 24d default mysqlxx-784fdd7b55-x9czr-69b97d59d4-slspx 1/1 Running 0 21d default pod-demo 2/2 Running 0 19d default pod-sa 1/1 Running 0 37h default redis-85b846ff9c-h7j72 1/1 Running 0 23d default redis-state-0 0/1 CrashLoopBackOff 3285 11d default redis-state-1 0/1 CrashLoopBackOff 3075 10d default tomcat-test-76789745c5-42c5d 1/1 Running 0 30d default tomcat-test-76789745c5-5wzl7 1/1 Running 0 21d ingress-nginx nginx-ingress-controller-797b884cbc-zcqsv 1/1 Running 0 20d kube-system coredns-86c58d9df4-gs9x7 1/1 Running 0 32d kube-system coredns-86c58d9df4-srzb9 1/1 Running 0 32d kube-system etcd-master 1/1 Running 0 32d kube-system kube-apiserver-master 1/1 Running 2 32d kube-system kube-controller-manager-master 1/1 Running 3 32d kube-system kube-flannel-ds-amd64-2fkc8 1/1 Running 0 31d kube-system kube-flannel-ds-amd64-cmjjg 1/1 Running 0 31d kube-system kube-flannel-ds-amd64-t4b42 1/1 Running 0 32d kube-system kube-proxy-mdmp5 1/1 Running 0 31d kube-system kube-proxy-qjvhv 1/1 Running 0 31d kube-system kube-proxy-rkh97 1/1 Running 0 32d kube-system kube-scheduler-master 1/1 Running 3 32d kube-system kubernetes-dashboard-57df4db6b-fw58v 0/1 ImagePullBackOff 0 18d
一般 clusterRoleBinding 用来绑定clsterRole roleBinding 用来绑定 role
但是 roleBinding可以绑定 clusterRole 但是会造成 权限缩小到此命名空间
[root@master ~]# kubectl delete clusterrolebindings.rbac.authorization.k8s.io song-all-pod-read clusterrolebinding.rbac.authorization.k8s.io "song-all-pod-read" deleted [root@master ~]# kubectl create rolebinding song-all-pod-read --clusterrole=all-pod-read --user=song rolebinding.rbac.authorization.k8s.io/song-all-pod-read created [root@master ~]# kubectl config use-context song@kubernetes Switched to context "song@kubernetes". [root@master ~]# kubectl get pod --all-namespaces Error from server (Forbidden): pods is forbidden: User "song" cannot list resource "pods" in API group "" at the cluster scope
集群最高权限查看
[root@master ~]# kubectl describe clusterrole admin Name: admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- rolebindings.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch] roles.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch] configmaps [] [] [create delete deletecollection patch update get list watch] endpoints [] [] [create delete deletecollection patch update get list watch] persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch] pods [] [] [create delete deletecollection patch update get list watch] replicationcontrollers/scale [] [] [create delete deletecollection patch update get list watch] replicationcontrollers [] [] [create delete deletecollection patch update get list watch] services [] [] [create delete deletecollection patch update get list watch] daemonsets.apps [] [] [create delete deletecollection patch update get list watch] deployments.apps/scale [] [] [create delete deletecollection patch update get list watch] deployments.apps [] [] [create delete deletecollection patch update get list watch] replicasets.apps/scale [] [] [create delete deletecollection patch update get list watch] replicasets.apps [] [] [create delete deletecollection patch update get list watch] statefulsets.apps/scale [] [] [create delete deletecollection patch update get list watch] statefulsets.apps [] [] [create delete deletecollection patch update get list watch] horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection patch update get list watch] cronjobs.batch [] [] [create delete deletecollection patch update get list watch] jobs.batch [] [] [create delete deletecollection patch update get list watch] daemonsets.extensions [] [] [create delete deletecollection patch update get list watch] deployments.extensions/scale [] [] [create delete deletecollection patch update get list watch] deployments.extensions [] [] [create delete deletecollection patch update get list watch] ingresses.extensions [] [] [create delete deletecollection patch update get list watch] networkpolicies.extensions [] [] [create delete deletecollection patch update get list watch] replicasets.extensions/scale [] [] [create delete deletecollection patch update get list watch] replicasets.extensions [] [] [create delete deletecollection patch update get list watch] replicationcontrollers.extensions/scale [] [] [create delete deletecollection patch update get list watch] networkpolicies.networking.k8s.io [] [] [create delete deletecollection patch update get list watch] poddisruptionbudgets.policy [] [] [create delete deletecollection patch update get list watch] deployments.apps/rollback [] [] [create delete deletecollection patch update] deployments.extensions/rollback [] [] [create delete deletecollection patch update] localsubjectaccessreviews.authorization.k8s.io [] [] [create] pods/attach [] [] [get list watch create delete deletecollection patch update] pods/exec [] [] [get list watch create delete deletecollection patch update] pods/portforward [] [] [get list watch create delete deletecollection patch update] pods/proxy [] [] [get list watch create delete deletecollection patch update] secrets [] [] [get list watch create delete deletecollection patch update] services/proxy [] [] [get list watch create delete deletecollection patch update] bindings [] [] [get list watch] events [] [] [get list watch] limitranges [] [] [get list watch] namespaces/status [] [] [get list watch] namespaces [] [] [get list watch] pods/log [] [] [get list watch] pods/status [] [] [get list watch] replicationcontrollers/status [] [] [get list watch] resourcequotas/status [] [] [get list watch] resourcequotas [] [] [get list watch] controllerrevisions.apps [] [] [get list watch] serviceaccounts [] [] [impersonate create delete deletecollection patch update get list watch]
[root@master ~]# kubectl describe clusterrole cluster-admin
Name: cluster-admin
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
*.* [] [] [*]
[*] [] [*]