题目主干

Context
为部署流水线创建一个新的ClusterRole并将其绑定到范围为特定的 namespace 的特定ServiceAccount。
Task
创建一个名为deployment-clusterrole且仅允许创建以下资源类型的新ClusterRole:
Deployment
StatefulSet
DaemonSet
在现有的 namespace app-team1中创建一个名为cicd-token的新 ServiceAccount。
限于 namespace app-team1中,将新的ClusterRole deployment-clusterrole绑定到新的 ServiceAccount cicd-token。

参考说明

https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/#%E4%B8%80%E4%BA%9B%E5%91%BD%E4%BB%A4%E8%A1%8C%E5%B7%A5%E5%85%B7

题目解答

需要注意此时命令空间不要遗漏

  1. student@master01:~$ kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets
  2. clusterrole.rbac.authorization.k8s.io/deployment-clusterrole created
  3. student@master01:~$ kubectl get clusterrole |grep deployment-clusterrole
  4. deployment-clusterrole                                                 2022-05-06T07:36:16Z
  5. student@master01:~$ kubectl -n app-team1  create serviceaccount cicd-token
  6. serviceaccount/cicd-token created
  7. student@master01:~$ kubectl -n app-team1 get serviceaccounts 
  8. NAME         SECRETS   AGE
  9. cicd-token   1         15s
  10. default      1         71d
  11. student@master01:~$ kubectl -n app-team1  create clusterrolebinding cicd-token-clusterrolebinding   --clusterrole=deployment-clusterrole --serviceaccount=app-tean1:cicd-token
  12. clusterrolebinding.rbac.authorization.k8s.io/cicd-token-clusterrolebinding created
  13. student@master01:~$ kubectl -n app-team1 get clusterrolebinding  cicd-token-clusterrolebinding
  14. NAME                            ROLE                                 AGE
  15. cicd-token-clusterrolebinding   ClusterRole/deployment-clusterrole   26s
  16. student@master01:~$