LAB-01:权限控制RBAC
LAB 需求
创建一个名为 deployment-clusterrole 的 clusterrole,并且对该 clusterrole 只绑定对 Deployment,Daemonset,Statefulset 的创建权限。
在指定 namespace 为 app-team1 下,创建一个名为 cicd-token 的 serviceaccount,并且将上一步创建 clusterrole 和该 serviceaccount 绑定。
LAB 预配
# 创建 namespace 资源,名称为 app-team1
user1@k8s-master:~/cka/1$ cat ns-app-team1.yml
apiVersion: v1
kind: Namespace
metadata:
name: app-team1
# 部署 namespace 资源
user1@k8s-master:~/cka/1$ kubectl apply -f ns-app-team1.yml
namespace/app-team1 created
# 查看 namespace 资源
user1@k8s-master:~/cka/1$ kubectl get ns app-team1
NAME STATUS AGE
app-team1 Active 21h
LAB 答案
# 切换 content
$ kubectl config use-context k8s
# 创建 clusterrole
$ kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,daemonsets,statefulsets
# 创建 serviceaccount
$ kubectl -n app-team1 create serviceaccount cicd-token
# 创建 rolebinding
$ kubectl -n app-team1 create rolebinding cicd-token-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token
LAB 验证
# 查看 clusterrole。
user1@k8s-master:~$ kubectl get clusterrole deployment-clusterrole
NAME CREATED AT
deployment-clusterrole 2022-05-02T04:47:58Z
# 查看 serviceaccount
user1@k8s-master:~$ kubectl get sa -n app-team1 cicd-token
NAME SECRETS AGE
cicd-token 1 5h7m
# 查看 rolebinding
user1@k8s-master:~$ kubectl get rolebindings.rbac.authorization.k8s.io -n app-team1 cicd-token-binding
NAME ROLE AGE
cicd-token-binding ClusterRole/deployment-clusterrole 5h6m
参考资料
-
https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/
-
https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/#kubectl-create-clusterrole