在K8S中,通过api server的启动参数 --authorization-mode 打开RBAC:

kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options
CODE


RBAC提供了api管理4个资源Objects:

角色包含一个一组权限的规则, 规则是单纯增加的(没有“deny”的规则)

RoleClusterRole:定义了Cluster范围内的角色。
RoleBinding :把一个Role定义的权限分配给一些用户.RoleBingding 可以把Role或者ClusterRole绑定到某个Namespace下的某些用户,组,或者服务账号。
ClusterRoleBinding:ClusterRoleBinding负责把ClusterRole绑定到所有的namespace下的某些用户,组或者服务账号。

Role例子:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
CODE


ClusterRole:


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-reader
rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
CODE


RoleBinding:


apiVersion: rbac.authorization.k8s.io/v1










# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
  name: jane # "name" is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io
CODE




ClusterRoleBinding:


apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
  name: read-secrets-global
subjects:
- kind: Group
  name: manager # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: rbac.authorization.k8s.io
CODE