RBAC是基于角色的访问控制的缩写,是一种按角色管理用户的方式。
RBAC API 声明了四种 Kubernetes 对象
- Role
- ClusterRole
- RoleBinding
- ClusterRoleBinding
四种对象有何不同?
- Role需要在一个指定的Namespace内设置权限,而ClusterRole不需要绑定Namespace。
- Binding是将一个Role或ClusterRole中定义的权限授予一个用户或一组用户.
- RoleBinding授予一个Role在Namespace的权限,而ClusterRoleBinding则授予整个集群的权限。
下面介绍ServerAccount的权限绑定
ServerAccount为Pod的进程提供身份信息,用来调用Kubernetes API或其他外部服务而设计的。
创建ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: <serviceaccount>
namespace: <namespace>
创建ClusterRole
- 指定Pod的权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: <role-name>
rules:
- apiGroups: ["*"]
resources: ["pods","jobs","pods/status","jobs/status"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- 所有资源的权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: <role-name>
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
创建RoleBinding
指定Namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: <rolebind-name>
namespace: <namespace>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: <role-name>
subjects:
- kind: ServiceAccount
name: <serviceaccount>
namespace: <namespace>
创建ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: <clusterrolebinding-name>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: <role-name>
subjects:
- kind: ServiceAccount
name: <serviceaccount>
namespace: <namespace> #此处是serviceaccount所在的namespace
