(3)创建rolebinding命令行形式:
kubectl create rolebinding test-pods --role=test --user=zsk
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: test-pods roleRef: # 涉及到的role apiGroup: rbac.authorization.k8s.io kind: Role name: test subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: zsk
可以绑定一个不存在的role,但显然是没有任何意义的
角色绑定将一个角色中定义的各种权限授予一个或者一组用户。角色绑定包含了一组相关主体(即 subject, 包括用户——User、用户组——Group、或者服务账户——Service Account)以及对被授予角色的引用。在命名空间中可以通过 RoleBinding 对象授予权限,而集群范围的权限授予则通过 ClusterRoleBinding 对象完成。上例是对用户zsk授权,此用户不用手动去创建。
subjects下面的kind当然也可以是serveraccount或者是group。
现在zsk这个用户对default这个namespace内的pod拥有verbs: ["list", "watch","get","update","create","ptach"] 这些权限。对statefulsets有 verbs: ["list", "watch"]这些权限了。
(4)创建clusterrolebinding
和rolebinding是一样的,没什么区别,只是只能绑定clusterrole到user,group,serveraccount,下面就演示一下如何绑定用户到clusterrolebinding:
绑定集群角色cluster-admin 到用户kubernetes上,绑定的形式是clusterrolebinding,绑定的名称是kubernetes,这个名字可以任意
k create clusterrolebinding kubernetes --clusterrole=cluster-admin --user=kubernetes [root@k8s-master ~]# k create clusterrolebinding my --clusterrole=cluster-admin --user=kubernetes clusterrolebinding.rbac.authorization.k8s.io/my created
OK,查询绑定情况:
[root@k8s-master ~]# k get clusterrolebindings.rbac.authorization.k8s.io -A |grep cluster-ad cluster-admin ClusterRole/cluster-admin 31d kubelet-bootstrap ClusterRole/cluster-admin 31d kubernetes ClusterRole/cluster-admin 154m my ClusterRole/cluster-admin 72s system:kube-proxy ClusterRole/cluster-admin 31d system:node:k8s-node2 ClusterRole/cluster-admin 31d zsk ClusterRole/cluster-admin 6h10m
四,集群内的系统内置role和clusterrole
内置的role:
NAMESPACE NAME CREATED AT kube-public system:controller:bootstrap-signer 2022-08-27T01:22:55Z kube-system extension-apiserver-authentication-reader 2022-08-27T01:22:55Z kube-system system::leader-locking-kube-controller-manager 2022-08-27T01:22:55Z kube-system system::leader-locking-kube-scheduler 2022-08-27T01:22:55Z kube-system system:controller:bootstrap-signer 2022-08-27T01:22:55Z kube-system system:controller:cloud-provider 2022-08-27T01:22:55Z kube-system system:controller:token-cleaner 2022-08-27T01:22:55Z kubernetes-dashboard kubernetes-dashboard 2022-09-04T02:39:34Z
这些role有一个共同点,同时建立的,建立的时间是kube-apiserver服务第一次启动的时候,随机挑选一个,看看它的权限吧:
[root@master ~]# k describe role system:controller:token-cleaner -n kube-system Name: system:controller:token-cleaner Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- events [] [] [create patch update] events.events.k8s.io [] [] [create patch update] secrets [] [] [delete get list watch]
可以看到,system:controller:token-cleaner这个role的权限针对的是events和secrets和events.events.k8s.io,并且只作用于kube-system这个namespace里。
内置的clusterrole:
集群角色比较多,挑重点的来说,主要是cluster-admin admin edit view 这几个集群角色。
[root@master ~]# k get clusterrole -A NAME CREATED AT admin 2022-08-27T01:22:54Z cluster-admin 2022-08-27T01:22:53Z edit 2022-08-27T01:22:54Z flannel 2022-08-27T08:05:45Z kubernetes-dashboard 2022-09-04T02:39:34Z system:aggregate-to-admin 2022-08-27T01:22:54Z system:aggregate-to-edit 2022-08-27T01:22:54Z system:aggregate-to-view 2022-08-27T01:22:54Z system:auth-delegator 2022-08-27T01:22:54Z system:basic-user 2022-08-27T01:22:54Z system:certificates.k8s.io:certificatesigningrequests:nodeclient 2022-08-27T01:22:54Z system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2022-08-27T01:22:54Z system:certificates.k8s.io:kube-apiserver-client-approver 2022-08-27T01:22:54Z system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2022-08-27T01:22:54Z system:certificates.k8s.io:kubelet-serving-approver 2022-08-27T01:22:54Z system:certificates.k8s.io:legacy-unknown-approver 2022-08-27T01:22:54Z system:controller:attachdetach-controller 2022-08-27T01:22:54Z system:controller:certificate-controller 2022-08-27T01:22:54Z system:controller:clusterrole-aggregation-controller 2022-08-27T01:22:54Z system:controller:cronjob-controller 2022-08-27T01:22:54Z system:controller:daemon-set-controller 2022-08-27T01:22:54Z system:controller:deployment-controller 2022-08-27T01:22:54Z system:controller:disruption-controller 2022-08-27T01:22:54Z system:controller:endpoint-controller 2022-08-27T01:22:54Z system:controller:endpointslice-controller 2022-08-27T01:22:54Z system:controller:expand-controller 2022-08-27T01:22:54Z system:controller:generic-garbage-collector 2022-08-27T01:22:54Z system:controller:horizontal-pod-autoscaler 2022-08-27T01:22:54Z system:controller:job-controller 2022-08-27T01:22:54Z system:controller:namespace-controller 2022-08-27T01:22:54Z system:controller:node-controller 2022-08-27T01:22:54Z system:controller:persistent-volume-binder 2022-08-27T01:22:54Z system:controller:pod-garbage-collector 2022-08-27T01:22:54Z system:controller:pv-protection-controller 2022-08-27T01:22:54Z system:controller:pvc-protection-controller 2022-08-27T01:22:54Z system:controller:replicaset-controller 2022-08-27T01:22:54Z system:controller:replication-controller 2022-08-27T01:22:54Z system:controller:resourcequota-controller 2022-08-27T01:22:54Z system:controller:route-controller 2022-08-27T01:22:54Z system:controller:service-account-controller 2022-08-27T01:22:54Z system:controller:service-controller 2022-08-27T01:22:54Z system:controller:statefulset-controller 2022-08-27T01:22:54Z system:controller:ttl-controller 2022-08-27T01:22:54Z system:coredns 2022-08-27T12:45:57Z system:discovery 2022-08-27T01:22:54Z system:heapster 2022-08-27T01:22:54Z system:kube-aggregator 2022-08-27T01:22:54Z system:kube-apiserver-to-kubelet 2022-08-28T02:23:48Z system:kube-controller-manager 2022-08-27T01:22:54Z system:kube-dns 2022-08-27T01:22:54Z system:kube-scheduler 2022-08-27T01:22:54Z system:kubelet-api-admin 2022-08-27T01:22:54Z system:node 2022-08-27T01:22:54Z system:node-bootstrapper 2022-08-27T01:22:54Z system:node-problem-detector 2022-08-27T01:22:54Z system:node-proxier 2022-08-27T01:22:54Z system:persistent-volume-provisioner 2022-08-27T01:22:54Z system:public-info-viewer 2022-08-27T01:22:54Z system:volume-scheduler 2022-08-27T01:22:54Z testclusterrole 2022-09-04T12:30:29Z view 2022-08-27T01:22:54Z
查看admin 的权限,茫茫多的权限,说明该角色权限非常大:
[root@master ~]# k describe clusterrole admin Name: admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- rolebindings.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch] roles.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch] configmaps [] [] [create delete deletecollection patch update get list watch] endpoints [] [] [create delete deletecollection patch update get list watch] persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch] pods [] [] [create delete deletecollection patch update get list watch] replicationcontrollers/scale [] [] [create delete deletecollection patch update get list watch] replicationcontrollers [] [] [create delete deletecollection patch update get list watch] services [] [] [create delete deletecollection patch update get list watch] daemonsets.apps [] [] [create delete deletecollection patch update get list watch] deployments.apps/scale [] [] [create delete deletecollection patch update get list watch] deployments.apps [] [] [create delete deletecollection patch update get list watch] replicasets.apps/scale [] [] [create delete deletecollection patch update get list watch] replicasets.apps [] [] [create delete deletecollection patch update get list watch] statefulsets.apps/scale [] [] [create delete deletecollection patch update get list watch] statefulsets.apps [] [] [create delete deletecollection patch update get list watch] horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection patch update get list watch] cronjobs.batch [] [] [create delete deletecollection patch update get list watch] jobs.batch [] [] [create delete deletecollection patch update get list watch] daemonsets.extensions [] [] [create delete deletecollection patch update get list watch] deployments.extensions/scale [] [] [create delete deletecollection patch update get list watch] deployments.extensions [] [] [create delete deletecollection patch update get list watch] ingresses.extensions [] [] [create delete deletecollection patch update get list watch] networkpolicies.extensions [] [] [create delete deletecollection patch update get list watch] replicasets.extensions/scale [] [] [create delete deletecollection patch update get list watch] replicasets.extensions [] [] [create delete deletecollection patch update get list watch] replicationcontrollers.extensions/scale [] [] [create delete deletecollection patch update get list watch] ingresses.networking.k8s.io [] [] [create delete deletecollection patch update get list watch] networkpolicies.networking.k8s.io [] [] [create delete deletecollection patch update get list watch] poddisruptionbudgets.policy [] [] [create delete deletecollection patch update get list watch] deployments.apps/rollback [] [] [create delete deletecollection patch update] deployments.extensions/rollback [] [] [create delete deletecollection patch update] localsubjectaccessreviews.authorization.k8s.io [] [] [create] pods/attach [] [] [get list watch create delete deletecollection patch update] pods/exec [] [] [get list watch create delete deletecollection patch update] pods/portforward [] [] [get list watch create delete deletecollection patch update] pods/proxy [] [] [get list watch create delete deletecollection patch update] secrets [] [] [get list watch create delete deletecollection patch update] services/proxy [] [] [get list watch create delete deletecollection patch update] bindings [] [] [get list watch] events [] [] [get list watch] limitranges [] [] [get list watch] namespaces/status [] [] [get list watch] namespaces [] [] [get list watch] persistentvolumeclaims/status [] [] [get list watch] pods/log [] [] [get list watch] pods/status [] [] [get list watch] replicationcontrollers/status [] [] [get list watch] resourcequotas/status [] [] [get list watch] resourcequotas [] [] [get list watch] services/status [] [] [get list watch] controllerrevisions.apps [] [] [get list watch] daemonsets.apps/status [] [] [get list watch] deployments.apps/status [] [] [get list watch] replicasets.apps/status [] [] [get list watch] statefulsets.apps/status [] [] [get list watch] horizontalpodautoscalers.autoscaling/status [] [] [get list watch] cronjobs.batch/status [] [] [get list watch] jobs.batch/status [] [] [get list watch] daemonsets.extensions/status [] [] [get list watch] deployments.extensions/status [] [] [get list watch] ingresses.extensions/status [] [] [get list watch] replicasets.extensions/status [] [] [get list watch] ingresses.networking.k8s.io/status [] [] [get list watch] poddisruptionbudgets.policy/status [] [] [get list watch] serviceaccounts [] [] [impersonate create delete deletecollection patch update get list watch]
cluste-admin 这个角色是给其它角色赋权,并使用其它所有资源,比admin还要牛 比的存在,真正的生杀予夺的角色(狠角色)
[root@master ~]# k describe clusterrole cluster-admin Name: cluster-admin Labels: kubernetes.io/bootstrapping=rbac-defaults Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- *.* [] [] [*] [*] [] [*]
view角色,查看一切的角色:
[root@master ~]# k describe clusterrole view Name: view Labels: kubernetes.io/bootstrapping=rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit=true Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- bindings [] [] [get list watch] configmaps [] [] [get list watch] endpoints [] [] [get list watch] events [] [] [get list watch] 、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、。、、、、、、、、、、。。
edit角色,修改一切的角色:
root@master ~]# k describe clusterrole edit Name: edit Labels: kubernetes.io/bootstrapping=rbac-defaults rbac.authorization.k8s.io/aggregate-to-admin=true Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- configmaps [] [] [create delete deletecollection patch update get list watch] endpoints [] [] [create delete deletecollection patch update get list watch] persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch] pods [] [] [create delete deletecollection patch update get list watch] 、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、、
这些内置的角色存在的意义是为了维护系统的和平(像不像说维护世界和平?),其实有时候不知道怎么分配权限了,看看它们也就会配置了。
我可以明确的说,k8s的权限管理系统和数据库尤其是Oracle数据库是非常非常相似的,如果对数据库比较熟悉的话,上手这个k8s的权限管理系统也是非常容易的哦。
