https://www.qikqiak.com/k8strain2/security/rbac/
https://www.bookstack.cn/read/feiskyer-kubernetes-handbook/plugins-auth.md
RBAC 权限控制 - 图1
https://kubernetes.io/zh/docs/reference/access-authn-authz/rbac/
基于角色(Role)的访问控制(RBAC)是一种基于组织中用户的角色来调节控制对 计算机或网络资源的访问的方法

API 对象

RBAC 权限控制 - 图2

Role 和 ClusterRole

  1. kubectl create ns app-team1
  2. kubectl create serviceaccount cicd-token -n app-team1
  3. kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployment,statefulset,daemonset
  4. kubectl create rolebinding cicd-clusterrole --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token
  1. 1
  2. [rancher@rmaster01 ~]$ kubectl create clusterrole deploymen-clusterrole --verb=create --resource=deployments,daemonsets,statefulsets
  3. clusterrole.rbac.authorization.k8s.io/deploymen-clusterrole created
  4. 2
  5. [rancher@rmaster01 ~]$ kubectl create namespace app-team1
  6. namespace/app-team1 created
  7. 3
  8. [rancher@rmaster01 ~]$ kubectl -n app-team1 create serviceaccount cicd-token
  9. serviceaccount/cicd-token created
  10. 4
  11. [rancher@rmaster01 ~]$ kubectl -n app-team1 create rolebinding cicd-token-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token
  12. rolebinding.rbac.authorization.k8s.io/cicd-token-binding created
  18. 5
  19. [rancher@rmaster01 ~]$ kubectl -n app-team1 get clusterrole |grep deploymen-clusterrole 
  20. deploymen-clusterrole                                                  2021-03-23T13:40:18Z
  21. [rancher@rmaster01 ~]$
  22. [rancher@rmaster01 ~]$ kubectl -n app-team1 describe clusterrole deploymen-clusterrole 
  23. Name:         deploymen-clusterrole
  24. Labels:       <none>
  25. Annotations:  <none>
  26. PolicyRule:
  27.   Resources          Non-Resource URLs  Resource Names  Verbs
  28.   ---------          -----------------  --------------  -----
  29.   daemonsets.apps    []                 []              [create]
  30.   deployments.apps   []                 []              [create]
  31.   statefulsets.apps  []                 []              [create]
  32. 6
  33. [rancher@rmaster01 ~]$ kubectl -n app-team1 get rolebinding
  34. NAME                 ROLE                                 AGE
  35. cicd-token-binding   ClusterRole/deployment-clusterrole   39s
  36. 7
  37. [rancher@rmaster01 ~]$ kubectl -n app-team1 describe rolebinding cicd-token-binding
  38. Name:         cicd-token-binding
  39. Labels:       <none>
  40. Annotations:  <none>
  41. Role:
  42.   Kind:  ClusterRole
  43.   Name:  deployment-clusterrole
  44. Subjects:
  45.   Kind            Name        Namespace
  46.   ----            ----        ---------
  47.   ServiceAccount  cicd-token  app-team1
  48. 8
  49. [rancher@rmaster01 ~]$ kubectl -n app-team1 get serviceaccounts 
  50. NAME         SECRETS   AGE
  51. cicd-token   1         20s
  52. default      1         3d20h
  53. [rancher@rmaster01 ~]$
  54. [rancher@rmaster01 ~]$ kubectl -n app-team1 describe serviceaccounts cicd-token 
  55. Name:                cicd-token
  56. Namespace:           app-team1
  57. Labels:              <none>
  58. Annotations:         <none>
  59. Image pull secrets:  <none>
  60. Mountable secrets:   cicd-token-token-8wvck
  61. Tokens:              cicd-token-token-8wvck
  62. Events:              <none>
  63. 9
  64. [rancher@rmaster01 ~]$ kubectl -n app-team1 get secrets
  65. NAME                     TYPE                                  DATA   AGE
  66. cicd-token-token-8wvck   kubernetes.io/service-account-token   3      27s
  67. default-token-d28tf      kubernetes.io/service-account-token   3      3d20h
  68. [rancher@rmaster01 ~]$
  69. [rancher@rmaster01 ~]$ kubectl -n app-team1 describe secrets cicd-token-token-8wvck 
  70. Name:         cicd-token-token-8wvck
  71. Namespace:    app-team1
  72. Labels:       <none>
  73. Annotations:  kubernetes.io/service-account.name: cicd-token
  74.               kubernetes.io/service-account.uid: 936fdb19-8083-400c-b45e-3c5eefb4936a
  76. Type:  kubernetes.io/service-account-token
  78. Data
  79. ====
  80. ca.crt:     1017 bytes
  81. namespace:  9 bytes
  82. token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IldsX0UyaDZXTm51N2RzUTRWa21td204R3dhVmxLNmNtOWZ1dkRKSG5WWUEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJhcHAtdGVhbTEiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2ljZC10b2tlbi10b2tlbi04d3ZjayIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjaWNkLXRva2VuIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiOTM2ZmRiMTktODA4My00MDBjLWI0NWUtM2M1ZWVmYjQ5MzZhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmFwcC10ZWFtMTpjaWNkLXRva2VuIn0.biiSjHF1ihcig-1drK4YseWVsEQFTE1ihncRTpFJ5D-qf315F-v3USy9gBO2erC6KWi-_sLuUfgOQvZttzqLpzJZuky4X9jnaUPEdjgwHXOTNPBhN8Q93CPt_uCwyHSQVDaRZ_SBOwcBQzunrsakbVD1HpSlgNwiLyP8NJaFTnp_VbRlBWr9un3D4iYvSbgeVqfSru_4IVSPw7WLYPXdnzlsMLvZYXoh1vqXGzk5OS35Dmg69tw-EK-vO1j_N_AcIVzW3iVBRQC2MgifHpa8jf020naVKGUPtY-y0HENoCqzsRVXnDbI47vm8Lg1b9AQ7dQEvDgcEP5-fKME2wnfHA
  83. 10
  84. [rancher@rmaster01 ~]$ kubectl -n app-team1 describe namespaces app-team1 
  85. Name:         app-team1
  86. Labels:       <none>
  87. Annotations:  cattle.io/status:
  88.                 {"Conditions":[{"Type":"ResourceQuotaInit","Status":"True","Message":"","LastUpdateTime":"2021-03-23T13:40:41Z"},{"Type":"InitialRolesPopu...
  89.               lifecycle.cattle.io/create.namespace-auth: true
  90. Status:       Active
  91. No resource quota.
  92. No LimitRange resource.