RBAC,基于角色的访问控制(Role-Based Access Control)
1.Role
nampspace级别的角色,用来定义某角色可以访问的k8s资源(apiversion,resource,)以及verbs
apiVersion: rbac.authorization.k8s.io/v1kind: Role #kind类型为rolemetadata:namespace: defaultname: pod-readerrules:- apiGroups: [""] # "" indicates the core API groupresources: ["pods"]verbs: ["get", "watch", "list"]
2.ClustrtRole
集群级别的角色
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRole #kind类型为集群metadata:# "namespace" omitted since ClusterRoles are not namespacedname: secret-readerrules:- apiGroups: [""]# at the HTTP level, the name of the resource for accessing Secret# objects is "secrets"resources: ["secrets"]verbs: ["get", "watch", "list"]
3.RoleBinding
角色绑定,namespace级别的角色绑定,将角色赋予一个或一组用户(subjects)
apiVersion: rbac.authorization.k8s.io/v1# This role binding allows "jane" to read pods in the "default" namespace.# You need to already have a Role named "pod-reader" in that namespace.kind: RoleBindingmetadata:name: read-podsnamespace: defaultsubjects:# You can specify more than one "subject"- kind: Username: jane # "name" is case sensitiveapiGroup: rbac.authorization.k8s.ioroleRef:# "roleRef" specifies the binding to a Role / ClusterRolekind: Role #this must be Role or ClusterRolename: pod-reader # this must match the name of the Role or ClusterRole you wish to bind toapiGroup: rbac.authorization.k8s.io
4.ClusterRoleBinding
集群级别的角色绑定,其中roleRef只能是ClusterRole
apiVersion: rbac.authorization.k8s.io/v1# This role binding allows "dave" to read secrets in the "development" namespace.# You need to already have a ClusterRole named "secret-reader".kind: RoleBindingmetadata:name: read-secrets## The namespace of the RoleBinding determines where the permissions are granted.# This only grants permissions within the "development" namespace.namespace: developmentsubjects:- kind: Username: dave # Name is case sensitiveapiGroup: rbac.authorization.k8s.ioroleRef:kind: ClusterRolename: secret-readerapiGroup: rbac.authorization.k8s.io
若有收获,就点个赞吧
0 人点赞
