k8s通过sa和自建角色实现权限精细化分配-Toy模板网

这篇具有很好参考价值的文章主要介绍了k8s通过sa和自建角色实现权限精细化分配。希望对大家有所帮助。如果存在错误或未考虑完全的地方，请大家不吝赐教，您也可以点击"举报违法"按钮提交疑问。

权限精细化分配—通过sa和自建角色实现权限精细化分配

1.新建sa

kubectl create sa lishanbin -n planck

2.建立一个角色，并将该角色绑定到sa上

角色role-sa 具有的权限仅仅是namespace planck内的所有pod的查看权限，以及deployment的查看权限，无权删除修改这些资源

[root@k8s-master ~]# cat sa-role-binding.yaml 
#k8s 1.22.10
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: role-sa
  namespace: planck                         #指定 Namespace
rules:                                      #权限分配
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["pods/attach"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["pods/status"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["podtemplates"]
    verbs: ["get","list","watch"]
  - apiGroups: ["extensions", "apps"]
    resources: ["deployments","statefulsets"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["replicationcontrollers"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["replicationcontrollers/status"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["services/status"]
    verbs: ["get", "list", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rbac-role-binding
  namespace: planck                 #指定 Namespace
subjects:
  - kind: ServiceAccount
    name: lishanbin                 #指定 ServiceAccount
    namespace: planck              #指定 Namespace
roleRef:
  kind: Role
  name: role-sa
  apiGroup: rbac.authorization.k8s.io

3.授权namespace的权限,设置ClusterRole和ClusterRolebinding

为什么要授权是因为sa内的secrets里的token只有在dashboard内使用，而上面的角色和角色绑定都是dev这个namespace内的，这样绑定后，拿到token才可以登录到dashboard的首页，否则都无法选择namespace。

cat rbac-cluster-role-binding.yaml 
#k8s 1.22.10
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rbac-namespace-role
rules:
  - apiGroups: [""]                     #配置权限，配置其只用于 namespace 的 list 权限
    resources: ["namespaces"]
    verbs: ["list"]
  - apiGroups: [""]
    resources: ["namespaces/status"]
    verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rbac-default-role-binding
subjects:
  - kind: ServiceAccount
    name: lishanbin                     #配置为自定义的 ServiceAccount
    namespace: planck                  #指定为服务账户所在的 Namespace
roleRef:
  kind: ClusterRole
  name: rbac-namespace-role             #配置上面的 Role
  apiGroup: rbac.authorization.k8s.io



kubectl -n planck describe secret $(kubectl get secret -n planck | grep lishanbin | awk '{print $1}')

kubernetes的dashboard提供Token和kubeconfig两种认证方式，因此上面拿到token以后可以通过token进行访问planck这个ns下的资源了。文章来源地址https://www.toymoban.com/news/detail-649595.html

到了这里，关于k8s通过sa和自建角色实现权限精细化分配的文章就介绍完了。如果您还想了解更多内容，请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章，希望大家以后多多支持TOY模板网！