在K8S中,通过api server的启动参数 --authorization-mode
打开RBAC:
kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options
CODE
RBAC提供了api管理4个资源Objects:
角色包含一个一组权限的规则, 规则是单纯增加的(没有“deny”的规则)
RoleClusterRole:定义了Cluster范围内的角色。
RoleBinding :把一个Role定义的权限分配给一些用户.RoleBingding 可以把Role或者ClusterRole绑定到某个Namespace下的某些用户,组,或者服务账号。
ClusterRoleBinding:ClusterRoleBinding负责把ClusterRole绑定到所有的namespace下的某些用户,组或者服务账号。
Role例子:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
CODE
ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: secret-reader
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]
CODE
RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
# You can specify more than one "subject"
- kind: User
name: jane # "name" is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
CODE
ClusterRoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
name: read-secrets-global
subjects:
- kind: Group
name: manager # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: secret-reader
apiGroup: rbac.authorization.k8s.io
CODE