RBAC licensable objects
- Pods
- ConfigMaps
- Deployments
- Nodes
- Secrets
- Namespaces
- endpoints
- crontabs
- jobs
- Daemonsets
The authorized operations of the above resource objects are:
- create
- get
- delete
- list
- update
- edis
- watch
- exec
Creating a user has only create and get permissions for the Pod under the dev namespace
Create Cluster
kubectl config set-cluster dev-cluster --server=https://192.168.3.134:6443 --insecure-skip-tls-verify
Create user
- Create a private key for the dev user and name it dev.key
openssl genrsa -out dev.key 2048
- Create a certificate with the private key
openssl req -new -key dev.key -out dev.csr -subj "/CN=dev-user/O=devorg"
- Use the CA related certificate to build the kubernetes cluster to produce the final file
openssl x509 -req -in dev.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out dev.crt -days 500
- Create a dev-user user with the certificate file and private key file just created
kubectl config set-credentials dev-user--client-certificate=dev.crt --client-key=dev.key
- Create Context (Context)
kubectl config set-context dev-context --cluster=dev-cluster --namespace=dev --user=dev-user
- verification
[root@master-1 rbac]# kubectl get pods --context=dev-context
Error from server (Forbidden): pods is forbidden: User "dev-user" cannot list resource "pods" in API group "" in the namespace "dev"
Up to this point, the user has been created, and the error here is because the user has not yet defined any operation permissions
Authorization
Create permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dev-role
namespace: dev
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list","get","create"] # 也可以使用['*']授予所有权限
User and permission binding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dev-rolebinding
namespace: dev
subjects:
- kind: User
name: dev-user
apiGroup: ""
roleRef:
kind: Role
name: dev-role
apiGroup: ""
verification
Switch context
kubectl config use-context dev-context
Create pod
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: dev
labels:
name: nginx
spec:
containers:
- name: nginx
image: nginx
[root@master-1 rbac]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 21m
Delete pod test
[root@master-1 rbac]# kubectl delete pod nginx
Error from server (Forbidden): pods "nginx" is forbidden: User "dev-user" cannot delete resource "pods" in API group "" in the namespace "dev"